601988 – (CVE-2016-10025, XSA-203) <app-emulation/xen-{4.6.4-r4,4.7.1-r4}: x86: missing NULL pointer check in VMFUNC emulation

Bug 601988 (CVE-2016-10025, XSA-203) - <app-emulation/xen-{4.6.4-r4,4.7.1-r4}: x86: missing NULL pointer check in VMFUNC emulation

Summary: <app-emulation/xen-{4.6.4-r4,4.7.1-r4}: x86: missing NULL pointer check in VM...

Status:	RESOLVED FIXED

Alias:	CVE-2016-10025, XSA-203

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	CVE-2016-10024, XSA-202
Blocks:
	Show dependency tree

Reported:	2016-12-08 14:04 UTC by Aaron Bauman (RETIRED)
Modified:	2017-01-03 05:51 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aaron Bauman (RETIRED) gentoo-dev

2016-12-08 14:04:41 UTC

ISSUE DESCRIPTION
=================

When support for the Intel VMX VMFUNC leaf 0 was added, a new optional
function pointer hvmemul_vmfunc was added to the hvm_emulate_ops
table.  As is intended, that new function pointer is NULL on non-VMX
hardware, including AMD SVM hardware.  However at a call site, the
necessary NULL check was omitted before the indirect function call.

IMPACT
======

Malicious guests may cause a hypervisor crash, resulting in a Denial
of Service (DoS).

VULNERABLE SYSTEMS
==================

Xen versions 4.6 and newer are vulnerable.  Xen versions 4.5 and earlier
are not vulnerable.

Only HVM guests can exploit the vulnerability.  PV guests cannot exploit
the vulnerability.

Only x86 systems using SVM (AMD virtualisation extensions) rather than
VMX (Intel virtualisation extensions) are vulnerable.  This applies to
HVM guests on AMD x86 CPUs.  Therefore AMD x86 hardware is vulnerable;
Intel hardware is not vulnerable.

ARM systems are not vulnerable.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Running HVM guests on only VMX capable hardware will also avoid this
vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa203.patch           xen-unstable
xsa203-4.8.patch       Xen 4.8.x
xsa203-4.7.patch       Xen 4.7.x, Xen 4.6.x

$ sha256sum xsa203*
9af7e862705987a60de1def81ed179931c3f683d05b05c2708cf16bb85d203c9  xsa203.patch
7cc04278778fe885e4c3ae3f846d099075a38bccfafe6dff018ba525499b4e46  xsa203-4.7.patch
4218fcfff11ec4788462a3ea9dddecb25b9d9fb1beaad17ca0f723b07b6675e4  xsa203-4.8.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2016-12-22 04:07:14 UTC

@maintainer, please proceed.

Comment 2 Yixun Lan archtester

2016-12-22 12:50:26 UTC

already fixed in tree, see bug 601986

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2017-01-03 05:51:59 UTC

GLSA Vote: No