XEN CVE-2014-7188 Improper MSR range used for x2APIC emulation

pizzaman911 · October 1, 2014, 10:31pm

ใครใช้ XEN 4.1+ อยู่ Patch ออกมาแล้วนะครับ

โดนกันทั้งโลก ตั้งแต่เล็ก กลาง ใหญ่ แม้กระทั่งอเมซอนต้อง reboot cloud

http://xenbits.xen.org/xsa/advisory-108.html

Bug ตัวนี้ ทำให้ guest vm สามารถอ่าน memory ส่วนของ vm อื่นได้ครับ

[h=1]Information[/h][TABLE]
[TR]
[TH]Advisory[/TH]
[TD]XSA-108[/TD]
[/TR]
[TR]
[TH]Public release[/TH]
[TD]2014-10-01 12:00[/TD]
[/TR]
[TR]
[TH]Updated[/TH]
[TD]2014-10-01 12:02[/TD]
[/TR]
[TR]
[TH]Version[/TH]
[TD]4[/TD]
[/TR]
[TR]
[TH]CVE(s)[/TH]
[TD]CVE-2014-7188[/TD]
[/TR]
[TR]
[TH]Title[/TH]
[TD]Improper MSR range used for x2APIC emulation[/TD]
[/TR]
[/TABLE]
[h=1]Files[/h]advisory-108.txt[COLOR=#000000][FONT=Times] (signed advisory file)[/FONT][/COLOR]
xsa108.patch[h=1]Advisory[/h][HR][/HR]-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

          Xen Security Advisory CVE-2014-7188 / XSA-108
                          version 4

          Improper MSR range used for x2APIC emulation

UPDATES IN VERSION 4

Public release.

ISSUE DESCRIPTION

The MSR range specified for APIC use in the x2APIC access model spans
256 MSRs. Hypervisor code emulating read and write accesses to these
MSRs erroneously covered 1024 MSRs. While the write emulation path is
written such that accesses to the extra MSRs would not have any bad
effect (they end up being no-ops), the read path would (attempt to)
access memory beyond the single page set up for APIC emulation.

IMPACT

A buggy or malicious HVM guest can crash the host or read data
relating to other guests or the hypervisor itself.

VULNERABLE SYSTEMS

Xen 4.1 and onward are vulnerable.

Only x86 systems are vulnerable. ARM systems are not vulnerable.

MITIGATION

Running only PV guests will avoid this vulnerability.

CREDITS

This issue was discovered Jan Beulich at SUSE.

RESOLUTION

Applying the attached patch resolves this issue.

xsa108.patch xen-unstable, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa108*.patch
cf7ecf4b4680c09e8b1f03980d8350a0e1e7eb03060031788f972e0d4d47203e xsa108.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJUK+1fAAoJEIP+FMlX6CvZ6cwH+wdcnTCTdyAMc8bmQv+IxrMN
ue5rBYdX0b7CnnC2uCrwPssygna2cxTcVhJsU0eZk5OVrIU5rQ3PKtmFtxMwa3WS
my/vtyftTmoxAzftUKgpDFeicmZXlot3aowfRIiIc+GFZ59zAjDL2yQ0xMR1mJio
7SXl+dkcUPj5nXaeK1gFozJ8XNF+wArNQUPv0xUBIg4NSjQyqa7CMCZ5Q3IuJ53S
hKY37/MSoOViDORDPkeVr3BoSb7atYZSPwibqEUjeL5f+eXyVkbD0MkLQgu1ERtZ
p+dc+DTaRYm77LrDM+npZ+j1uSoVqdVzXtNYe6GZmbNRVXjbhJ+gJyJBcpy/a5Q=
=m0tK
-----END PGP SIGNATURE-----

system · May 16, 2016, 8:46am