Information

Advisory XSA-103
Public release 2014-08-12 12:00
Updated 2014-08-12 13:02
Version 3
CVE(s) CVE-2014-5148
Title Flaw in handling unknown system register access from 64-bit userspace on ARM

Files

advisory-103.txt (signed advisory file)
xsa103-4.4.patch
xsa103-unstable.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

              Xen Security Advisory CVE-2014-5148 / XSA-103
                                version 3

 Flaw in handling unknown system register access from 64-bit userspace on ARM

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When handling an unknown system register access from 64-bit userspace
Xen would incorrectly return to the second instruction of the trap
handler for faults in kernel space rather than the first instruction
of the trap handler for faults in 64-bit userspace.

Any user in a guest which is running a 64-bit kernel who is able to
spawn a 64-bit process can cause a trap to the kernel to be taken at
an unexpected (but not user controlled) exception address.

Known versions of Linux in the default configuration will Oops and kill the
offending process, and therefore avoid this vulnerability. However local
configuration may turn such an Oops into a kernel panic, and therefore a
guest denial of service.

IMPACT
======

Depending on the guest kernel implementation, kernel crash (guest DoS)
or privilege elevation to that of the guest kernel cannot be ruled
out.

This issue does not enable an attack on the host.

VULNERABLE SYSTEMS
==================

64-bit ARM systems may be vulnerable, depending on the guest kernel.

All versions of Linux released by Linux upstream to date avoid this
vulnerability.  Systems based on modified versions of Linux may be
vulnerable.

32-bit ARM systems, and X86 systems, are not vulnerable.

MITIGATION
==========

There is no known mitigation for this issue.

CREDITS
=======

This issue was reported as a bug by Riku Voipio, discovered via
Linaro's LAVA testing and was diagnosed as a security issue by Ian
Campbell.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

The patch for XSA-103 (specifically, xsa102-*-02.patch) must be
applied first.

xsa103-unstable.patch        xen-unstable
xsa103-4.4.patch             Xen 4.4.x

$ sha256sum xsa103*.patch
fee2e0be91d08aa28ba44b616edd99a1bfcdec419966c3f9e843a842d649e4ea  xsa103-4.4.patch
838d059618d31b272ec10ac8cbb6613a68b634c98418aff2a33cd514ed06b55a  xsa103-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJT6hBtAAoJEIP+FMlX6CvZ6+sIAMiAJEzJl2pWk61kr3QT1llk
lYYEEX94QxxJIzg62o4RnMzYZXsmOT6y2YP62nEziRbBaFcgmB0bNrx+Qc52+QWk
iea2lYAJUGmEdwnY6x2raLF6Wd2alCjZxXF1UzSJJ6Vu8WiTNFXHI+mKlc9JY4bN
aStmfgvN3j6Nmjav8k9ar/8QVfc4Oe0xOlzwFt5DlNHewExWN1y+HtPnrBTkGu5K
ckgjvbxs4/SF4No59XqY0XxdpEDIEXo46keJ07DG6/nVzIl83ZtpBhxiNX8xfz91
ZYzu6feGbgtvy1+utxo/l3qBAn7TrDXn58mLTgKTM2dD3D4Crv9tKLuOXF1xVLM=
=hjBc
-----END PGP SIGNATURE-----

Xenproject.org Security Team