Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 583462 (CVE-2016-4480) - <app-emulation/xen-4.6.1-r2, <app-emulation/xen-tools-4.6.1-r3: x86 software guest page walk PS bit handling flaw - XSA-176 (CVE-2016-4480)
Summary: <app-emulation/xen-4.6.1-r2, <app-emulation/xen-tools-4.6.1-r3: x86 software ...
Status: RESOLVED FIXED
Alias: CVE-2016-4480
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-19 02:36 UTC by Yury German
Modified: 2016-11-12 12:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
xsa176 Patch - as in Document (xsa176.patch,1.47 KB, text/plain)
2016-05-19 02:36 UTC, Yury German
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev Security 2016-05-19 02:36:28 UTC
Created attachment 434658 [details]
xsa176 Patch - as in Document

Xen Security Advisory CVE-2016-4480 / XSA-176
                               version 3

           x86 software guest page walk PS bit handling flaw

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The Page Size (PS) page table entry bit exists at all page table levels
other than L1.  Its meaning is reserved in L4, and conditionally
reserved in L3 and L2 (depending on hardware capabilities).  The
software page table walker in the hypervisor, however, so far ignored
that bit in L4 and (on respective hardware) L3 entries, resulting in
pages to be treated as page tables which the guest OS may not have
designated as such.  If the page in question is writable by an
unprivileged user, then that user will be able to map arbitrary guest
memory.

IMPACT
======

On vulnerable OSes, guest user mode code may be able to establish
mappings of arbitrary memory inside the guest, allowing it to elevate
its privileges inside the guest.

VULNERABLE SYSTEMS
==================

All Xen versions expose the vulnerability.

ARM systems are not vulnerable.  x86 PV guests are not vulnerable.

To be vulnerable, a system must have both a vulnerable hypervisor, and
a vulnerable guest operating system, i.e. ones which make non-standard
use of the PS bit.  We are not aware of any vulnerable guest operating
systems, but we cannot rule it out.  We have checked with maintainers
of the following operating systems, all of whom have said that to the
best of their knowledge their operating system is not vulnerable:
Linux, FreeBSD, NetBSD, OpenBSD, and Solaris.  Nor has it been observed
in common proprietary operating systems.

MITIGATION
==========

Running only PV guests will avoid this issue.

CREDITS
=======

This issue was discovered by Jan Beulich from SUSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

Note, however, that on hosts supporting 1Gb page mappings, for guests
which get this capability hidden via CPUID override in their config
file, fully correct behavior cannot be provided when using HAP paging.
This is a result of hardware behavior, which software cannot mitigate.
If that is a concern, such guests would need to be run in shadow paging
mode.

xsa176.patch      xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x

$ sha256sum xsa176*
e61c52477a8d8aa79111d686b103202ff8a558d8b3356635288c1290789b7eb3  xsa176.patch
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2016-05-20 04:42:45 UTC
commit bc21ec5985e878110034366d860b451cf9102a2e
Author: Ian Delaney <idella4@gentoo.org>
Date:   Fri May 20 12:39:15 2016 +0800

    app-emulation/xen-tools: revbump to 4.6.1-r3
    
    Add sec patch xsa-176 patch, re security bug
    Holding off revbump to 4.6.0, considering also purging
    
    Gentoo-bug: #583462
    
    Package-Manager: portage-2.3.0_rc1

commit e8b0c88c33a3a45e75af232291e826289c22f7e4
Author: Ian Delaney <idella4@gentoo.org>
Date:   Fri May 20 11:50:17 2016 +0800

    app-emulation/xen: revbump to 4.6.1-r2
    
    Add sec patch xsa-176 patch, re security bug
    Holding off revbump to 4.6.0, considering also purging
    
    Gentoo-bug: #583462
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-12 12:11:51 UTC
GLSA Vote: No