Xen Security Advisory CVE-2016-3157 / XSA-171
I/O port access privilege escalation in x86-64 Linux
UPDATES IN VERSION 4
Clarify Vulnerable Systems section.
IRET and POPF do not modify EFLAGS.IOPL when executed by code at a
privilege level other than zero. Since PV Xen guests run at privilege
level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to
compensate for this the context switching of EFLAGS.IOPL requires the
guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl). The
invocation of this hypercall, while present in the 32-bit context
switch path, is missing from its 64-bit counterpart.
User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.
All upstream x86-64 Linux versions operating as PV Xen guests are
ARM systems are not vulnerable. x86 HVM guests are not vulnerable.
32-bit Linux guests are not vulnerable.
x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are
We believe that non-Linux guests are not vulnerable, as we are not
aware of any with an analogous bug.
Running only HVM or 32-bit PV guests will avoid this issue.
This issue was discovered by Andy Lutomirski.
Applying the attached patch resolves this issue for the indicated Linux
xsa171.patch Linux 4.5-rc7, Linux 4.4.x
$ sha256sum xsa171*
This patch is not for app-emulation/xen. The patch is a kernel patch
As per Ian, this is a kernel bug. Redirecting to Kernel maintainers.
All upstream LTS kernels are including the patch; All sys-kernel/gentoo-sources ebuilds excluding sys-kernel/gentoo-sources-3.4.x have stable ebuilds containing the fix.
=sys-kernel/gentoo-sources-3.4.113 will be stabilized in bug 522930.
Security, can you please close this obsolete one? Thanks