Xen Security Advisory CVE-2016-3157 / XSA-171 version 4 I/O port access privilege escalation in x86-64 Linux UPDATES IN VERSION 4 ==================== Clarify Vulnerable Systems section. Public release. ISSUE DESCRIPTION ================= IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to compensate for this the context switching of EFLAGS.IOPL requires the guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl). The invocation of this hypercall, while present in the 32-bit context switch path, is missing from its 64-bit counterpart. IMPACT ====== User mode processes not supposed to be able to access I/O ports may be granted such permission, potentially resulting in one or more of in-guest privilege escalation, guest crashes (Denial of Service), or in-guest information leaks. VULNERABLE SYSTEMS ================== All upstream x86-64 Linux versions operating as PV Xen guests are vulnerable. ARM systems are not vulnerable. x86 HVM guests are not vulnerable. 32-bit Linux guests are not vulnerable. x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are not vulnerable. We believe that non-Linux guests are not vulnerable, as we are not aware of any with an analogous bug. MITIGATION ========== Running only HVM or 32-bit PV guests will avoid this issue. CREDITS ======= This issue was discovered by Andy Lutomirski. RESOLUTION ========== Applying the attached patch resolves this issue for the indicated Linux versions. xsa171.patch Linux 4.5-rc7, Linux 4.4.x $ sha256sum xsa171* 5d47ead1212c735b444ac8f82e7f311cda3473fe3847e576c3772ce020265dfd xsa171.patch $
This patch is not for app-emulation/xen. The patch is a kernel patch
As per Ian, this is a kernel bug. Redirecting to Kernel maintainers.
All upstream LTS kernels are including the patch; All sys-kernel/gentoo-sources ebuilds excluding sys-kernel/gentoo-sources-3.4.x have stable ebuilds containing the fix. =sys-kernel/gentoo-sources-3.4.113 will be stabilized in bug 522930.
Security, can you please close this obsolete one? Thanks