Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 579076 (CVE-2016-3157, XSA-171) - app-emulation/xen, app-emulation/xen-tools: I/O port access privilege escalation in x86-64 Linux (XSA-171) (CVE-2016-3157)
Summary: app-emulation/xen, app-emulation/xen-tools: I/O port access privilege escalat...
Status: RESOLVED FIXED
Alias: CVE-2016-3157, XSA-171
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL:
Whiteboard: B1 [stable blocked cve]
Keywords:
Depends on: CVE-2014-6416
Blocks:
  Show dependency tree
 
Reported: 2016-04-05 05:50 UTC by Yury German
Modified: 2019-03-27 23:44 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2016-04-05 05:50:09 UTC
Xen Security Advisory CVE-2016-3157 / XSA-171
                              version 4

         I/O port access privilege escalation in x86-64 Linux

UPDATES IN VERSION 4
====================

Clarify Vulnerable Systems section.

Public release.

ISSUE DESCRIPTION
=================

IRET and POPF do not modify EFLAGS.IOPL when executed by code at a
privilege level other than zero.  Since PV Xen guests run at privilege
level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to
compensate for this the context switching of EFLAGS.IOPL requires the
guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl).  The
invocation of this hypercall, while present in the 32-bit context
switch path, is missing from its 64-bit counterpart.

IMPACT
======

User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.

VULNERABLE SYSTEMS
==================

All upstream x86-64 Linux versions operating as PV Xen guests are
vulnerable.

ARM systems are not vulnerable.  x86 HVM guests are not vulnerable.
32-bit Linux guests are not vulnerable.

x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are
not vulnerable.

We believe that non-Linux guests are not vulnerable, as we are not
aware of any with an analogous bug.

MITIGATION
==========

Running only HVM or 32-bit PV guests will avoid this issue.

CREDITS
=======

This issue was discovered by Andy Lutomirski.

RESOLUTION
==========

Applying the attached patch resolves this issue for the indicated Linux
versions.

xsa171.patch           Linux 4.5-rc7, Linux 4.4.x

$ sha256sum xsa171*
5d47ead1212c735b444ac8f82e7f311cda3473fe3847e576c3772ce020265dfd  xsa171.patch
$
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2016-04-23 10:21:05 UTC
This patch is not for app-emulation/xen. The patch is a kernel patch
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2016-04-26 05:26:45 UTC
As per Ian, this is a kernel bug. Redirecting to Kernel maintainers.
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-21 16:43:57 UTC
All upstream LTS kernels are including the patch; All sys-kernel/gentoo-sources ebuilds excluding sys-kernel/gentoo-sources-3.4.x have stable ebuilds containing the fix.

=sys-kernel/gentoo-sources-3.4.113 will be stabilized in bug 522930.
Comment 4 Tomáš Mózes 2018-12-10 09:41:47 UTC
Security, can you please close this obsolete one? Thanks