Information
Advisory | XSA-42 |
Public release | 2013-02-12 12:00 |
Updated | 2013-02-13 16:49 |
Version | 2 |
CVE(s) | CVE-2013-0228 |
Title | Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS. |
Files
advisory-42.txt (signed advisory file)
xsa42-pvops-0001-x86-xen-don-t-assume-ds-is-usable-in-xen_iret-for-32.patch
Advisory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-0228 / XSA-42
version 2
Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS.
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
Linux kernel when returning from an iret assumes that %ds segment is safe
and uses it to reference various per-cpu related fields. Unfortunately
the user can modify the LDT and provide a NULL one. Whenever an iret is called
we end up in xen_iret and try to use the %ds segment and cause an
general protection fault.
IMPACT
======
Malicious or buggy unprivileged user space can cause the guest kernel to
crash, or permit a privilege escalation within the guest, or operate
erroneously.
VULNERABLE SYSTEMS
==================
All 32bit PVOPS versions of Linux are affected, since the introduction
of Xen PVOPS support in 2.6.23. Classic-Xen kernels are not vulnerable.
MITIGATION
==========
This can be mitigated by not running 32bit PVOPS Linux guests.
32bit classic-Xen guests, all 64bit PV guests and all HVM guests are
unaffected.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
$ sha256sum xsa42*.patch
a931fdc161653fb1a3a6d8c1cf6d2c9954c5aec134b610be6e9699552a659eb8 xsa42-pvops-0001-x86-xen-don-t-assume-ds-is-usable-in-xen_iret-for-32.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRG8PxAAoJEIP+FMlX6CvZC3gH/0v/9nr3jXbsMHZlkBRtCx9n
np1ed8btQGpmmk/WqbyLj/KcTNlXLIa1zwhTSPUgXlVIoDPuzstfGXm96gBNfYhS
hl56QYTruhHPAvvrAwE8SNIlMUH+n7Wq1BThkXFU1yBnjXxzTi4SdmUwy4gAA/SE
Xp35RAcIV6IwLRMMY12aat7XKnVx4S5n+gCC5eu0WZ+n73Ecrlqmsq+2X2ZHo3wP
nu9UN+PChmBJHfcA8OhelY/X4X4DV1HNPuFkj9ypyPrvXIrl6M0D5TfGoyRNXMHq
izAn51ro8gTGND6xY+s3auelquKiJkyl/5AXnfd0y9bSewGJS6oxoRzFdctJqxM=
=mgHb
-----END PGP SIGNATURE-----
Xenproject.org Security Team