892977 – (CVE-2014-5148) VUL-1: CVE-2014-5148: xen: XSA-103: Flaw in handling unknown system register access from 64-bit userspace on ARM

Bug 892977 (CVE-2014-5148) - VUL-1: CVE-2014-5148: xen: XSA-103: Flaw in handling unknown system register access from 64-bit userspace on ARM

Summary: VUL-1: CVE-2014-5148: xen: XSA-103: Flaw in handling unknown system register ...

Status:	VERIFIED FIXED

Alias:	CVE-2014-5148

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-08-21 13:51 UTC by Alexander Bergmann
Modified:	2014-08-21 13:51 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2014-08-21 13:51:27 UTC

This bug was opened as reference only.

              Xen Security Advisory CVE-2014-5148 / XSA-103
                                version 3

 Flaw in handling unknown system register access from 64-bit userspace on ARM

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When handling an unknown system register access from 64-bit userspace
Xen would incorrectly return to the second instruction of the trap
handler for faults in kernel space rather than the first instruction
of the trap handler for faults in 64-bit userspace.

Any user in a guest which is running a 64-bit kernel who is able to
spawn a 64-bit process can cause a trap to the kernel to be taken at
an unexpected (but not user controlled) exception address.

Known versions of Linux in the default configuration will Oops and kill the
offending process, and therefore avoid this vulnerability. However local
configuration may turn such an Oops into a kernel panic, and therefore a
guest denial of service.

IMPACT
======

Depending on the guest kernel implementation, kernel crash (guest DoS)
or privilege elevation to that of the guest kernel cannot be ruled
out.

This issue does not enable an attack on the host.

VULNERABLE SYSTEMS
==================

64-bit ARM systems may be vulnerable, depending on the guest kernel.

All versions of Linux released by Linux upstream to date avoid this
vulnerability.  Systems based on modified versions of Linux may be
vulnerable.

32-bit ARM systems, and X86 systems, are not vulnerable.

MITIGATION
==========

There is no known mitigation for this issue.

CREDITS
=======

This issue was reported as a bug by Riku Voipio, discovered via
Linaro's LAVA testing and was diagnosed as a security issue by Ian
Campbell.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

The patch for XSA-103 (specifically, xsa102-*-02.patch) must be
applied first.

xsa103-unstable.patch        xen-unstable
xsa103-4.4.patch             Xen 4.4.x

$ sha256sum xsa103*.patch
fee2e0be91d08aa28ba44b616edd99a1bfcdec419966c3f9e843a842d649e4ea  xsa103-4.4.patch
838d059618d31b272ec10ac8cbb6613a68b634c98418aff2a33cd514ed06b55a  xsa103-unstable.patch
$

Comment 1 Alexander Bergmann 2014-08-21 13:51:54 UTC

Closed.