From ${URL} : Xen Security Advisory CVE-2014-5148 / XSA-103 version 3 Flaw in handling unknown system register access from 64-bit userspace on ARM UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When handling an unknown system register access from 64-bit userspace Xen would incorrectly return to the second instruction of the trap handler for faults in kernel space rather than the first instruction of the trap handler for faults in 64-bit userspace. Any user in a guest which is running a 64-bit kernel who is able to spawn a 64-bit process can cause a trap to the kernel to be taken at an unexpected (but not user controlled) exception address. Known versions of Linux in the default configuration will Oops and kill the offending process, and therefore avoid this vulnerability. However local configuration may turn such an Oops into a kernel panic, and therefore a guest denial of service. IMPACT ====== Depending on the guest kernel implementation, kernel crash (guest DoS) or privilege elevation to that of the guest kernel cannot be ruled out. This issue does not enable an attack on the host. VULNERABLE SYSTEMS ================== 64-bit ARM systems may be vulnerable, depending on the guest kernel. All versions of Linux released by Linux upstream to date avoid this vulnerability. Systems based on modified versions of Linux may be vulnerable. 32-bit ARM systems, and X86 systems, are not vulnerable. MITIGATION ========== There is no known mitigation for this issue. CREDITS ======= This issue was reported as a bug by Riku Voipio, discovered via Linaro's LAVA testing and was diagnosed as a security issue by Ian Campbell. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. The patch for XSA-103 (specifically, xsa102-*-02.patch) must be applied first. xsa103-unstable.patch xen-unstable xsa103-4.4.patch Xen 4.4.x @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
fixed in app-emulation/xen-4.4.0-r6, vulnerable version has been cleaned. and I'm closing this bug. thanks.
CVE-2014-5148 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5148): Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process.