579076 – (CVE-2016-3157, XSA-171) app-emulation/xen, app-emulation/xen-tools: I/O port access privilege escalation in x86-64 Linux (XSA-171) (CVE-2016-3157)

Bug 579076 (CVE-2016-3157, XSA-171) - app-emulation/xen, app-emulation/xen-tools: I/O port access privilege escalation in x86-64 Linux (XSA-171) (CVE-2016-3157)

Summary: app-emulation/xen, app-emulation/xen-tools: I/O port access privilege escalat...

Status:	RESOLVED FIXED

Alias:	CVE-2016-3157, XSA-171

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Kernel Security

URL:
Whiteboard:	B1 [stable blocked cve]
Keywords:

Depends on:	CVE-2014-6416
Blocks:
	Show dependency tree

Reported:	2016-04-05 05:50 UTC by Yury German
Modified:	2019-03-27 23:44 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yury German Gentoo Infrastructure

2016-04-05 05:50:09 UTC

Xen Security Advisory CVE-2016-3157 / XSA-171
                              version 4

         I/O port access privilege escalation in x86-64 Linux

UPDATES IN VERSION 4
====================

Clarify Vulnerable Systems section.

Public release.

ISSUE DESCRIPTION
=================

IRET and POPF do not modify EFLAGS.IOPL when executed by code at a
privilege level other than zero.  Since PV Xen guests run at privilege
level 3 (for 64-bit ones; 32-bit ones run at privilege level 1), to
compensate for this the context switching of EFLAGS.IOPL requires the
guest to make use of a dedicated hypercall (PHYSDEVOP_set_iopl).  The
invocation of this hypercall, while present in the 32-bit context
switch path, is missing from its 64-bit counterpart.

IMPACT
======

User mode processes not supposed to be able to access I/O ports may
be granted such permission, potentially resulting in one or more of
in-guest privilege escalation, guest crashes (Denial of Service), or
in-guest information leaks.

VULNERABLE SYSTEMS
==================

All upstream x86-64 Linux versions operating as PV Xen guests are
vulnerable.

ARM systems are not vulnerable.  x86 HVM guests are not vulnerable.
32-bit Linux guests are not vulnerable.

x86-64 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are
not vulnerable.

We believe that non-Linux guests are not vulnerable, as we are not
aware of any with an analogous bug.

MITIGATION
==========

Running only HVM or 32-bit PV guests will avoid this issue.

CREDITS
=======

This issue was discovered by Andy Lutomirski.

RESOLUTION
==========

Applying the attached patch resolves this issue for the indicated Linux
versions.

xsa171.patch           Linux 4.5-rc7, Linux 4.4.x

$ sha256sum xsa171*
5d47ead1212c735b444ac8f82e7f311cda3473fe3847e576c3772ce020265dfd  xsa171.patch
$

Comment 1 Ian Delaney (RETIRED) gentoo-dev

2016-04-23 10:21:05 UTC

This patch is not for app-emulation/xen. The patch is a kernel patch

Comment 2 Yury German Gentoo Infrastructure

2016-04-26 05:26:45 UTC

As per Ian, this is a kernel bug. Redirecting to Kernel maintainers.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-21 16:43:57 UTC

All upstream LTS kernels are including the patch; All sys-kernel/gentoo-sources ebuilds excluding sys-kernel/gentoo-sources-3.4.x have stable ebuilds containing the fix.

=sys-kernel/gentoo-sources-3.4.113 will be stabilized in bug 522930.

Comment 4 Tomáš Mózes 2018-12-10 09:41:47 UTC

Security, can you please close this obsolete one? Thanks