[XSA-260] x86: mishandling of debug exceptions
ISSUE DESCRIPTION
When switching stacks, it is critical to have a matching stack segment
and stack pointer. To allow an atomic update from what would otherwise
be two adjacent instructions, an update which changes the stack segment
(either a mov or pop instruction with %ss encoded as the destination
register) sets the movss shadow for one instruction.
The exact behaviour of the movss shadow is poorly understood.
In practice, a movss shadow delays some debug exceptions (e.g. from a
hardware breakpoint) until the subsequent instruction has completed. If
the subsequent instruction normally transitions to supervisor mode
(e.g. a system call), then the debug exception will be taken after the
transition to ring0 is completed.
For most transitions to supervisor mode, this only confuses Xen into
printing a lot of debugging information. For the syscall instruction
however, the exception gets taken before the syscall handler can move
off the guest stack.
IMPACT
A malicious PV guest can escalate their privilege to that of the
hypervisor.
VULNERABLE SYSTEMS
All versions of Xen are vulnerable.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH
guests cannot exploit the vulnerability.
An attacker needs to be able to control hardware debugging facilities to
exploit the vulnerability, but such permissions are typically available
to unprivileged users.
Package | Affected Version |
---|---|
pkg:generic/xen | = 4.6.x |
pkg:generic/xen | = 4.7.x |
pkg:generic/xen | = 4.8.x |
pkg:generic/xen | = 4.9.x |
pkg:generic/xen | = 4.10.x |
- ID
- XSA-260
- Severity
- high
- Severity from
- CVE-2018-8897
- URL
- http://xenbits.xen.org/xsa/advisory-260.html
- Published
-
2018-05-08T16:45:00
(6 years ago) - Modified
-
2018-05-08T16:45:00
(6 years ago) - Rights
- Xen Project
- Other Advisories
-
- ALAS-2018-1023
- ALAS2-2018-1023
- ALPINE:CVE-2018-8897
- DSA-4196-1
- DSA-4201-1
- ELSA-2018-1318
- ELSA-2018-1319
- ELSA-2018-4096
- ELSA-2018-4097
- ELSA-2018-4098
- ELSA-2018-4219
- FEDORA-2018-1a467757ce
- FEDORA-2018-5521156807
- FEDORA-2018-683dfde81a
- FEDORA-2018-73dd8de892
- FEDORA-2018-7cd077ddd3
- FEDORA-2018-915602df63
- FEDORA-2018-98684f429b
- FEDORA-2018-a7862a75f5
- FEDORA-2018-a7ac26523d
- FEDORA-2018-aec846c0ef
- FEDORA-2018-d3cb6f113c
- FEDORA-2018-f20a0cead5
- FEDORA-2018-fe24359b69
- FEDORA-2019-bce6498890
- FREEBSD:521CE804-52FD-11E8-9123-A4BADB2F4699
- MS:CVE-2018-8897
- RHSA-2018:1318
- RHSA-2018:1319
- RHSA-2018:1355
- SUSE-SU-2018:1171-1
- SUSE-SU-2018:1172-1
- SUSE-SU-2018:1173-1
- SUSE-SU-2018:1173-2
- SUSE-SU-2018:1177-1
- SUSE-SU-2018:1181-1
- SUSE-SU-2018:1184-1
- SUSE-SU-2018:1202-1
- SUSE-SU-2018:1203-1
- SUSE-SU-2018:1216-1
- SUSE-SU-2018:1220-1
- SUSE-SU-2018:1221-1
- SUSE-SU-2018:1505-1
- SUSE-SU-2018:1506-1
- SUSE-SU-2018:1509-1
- SUSE-SU-2018:1510-1
- SUSE-SU-2018:1511-1
- SUSE-SU-2018:1512-1
- SUSE-SU-2018:1513-1
- SUSE-SU-2018:1514-1
- SUSE-SU-2018:1516-1
- SUSE-SU-2018:1517-1
- SUSE-SU-2018:1518-1
- SUSE-SU-2018:1519-1
- SUSE-SU-2018:1520-1
- SUSE-SU-2018:1521-1
- SUSE-SU-2018:1522-1
- SUSE-SU-2018:1523-1
- SUSE-SU-2018:1524-1
- SUSE-SU-2018:1526-1
- SUSE-SU-2018:1528-1
- SUSE-SU-2018:1529-1
- SUSE-SU-2018:1530-1
- SUSE-SU-2018:1531-1
- SUSE-SU-2018:1532-1
- SUSE-SU-2018:1533-1
- SUSE-SU-2018:1534-1
- SUSE-SU-2018:1535-1
- SUSE-SU-2018:1536-1
- SUSE-SU-2018:1537-1
- SUSE-SU-2018:1538-1
- SUSE-SU-2018:1539-1
- SUSE-SU-2018:1540-1
- SUSE-SU-2018:1541-1
- SUSE-SU-2018:1543-1
- SUSE-SU-2018:1545-1
- SUSE-SU-2018:1546-1
- SUSE-SU-2018:1548-1
- SUSE-SU-2018:1549-1
- SUSE-SU-2018:1636-1
- SUSE-SU-2018:1637-1
- SUSE-SU-2018:1639-1
- SUSE-SU-2018:1640-1
- SUSE-SU-2018:1641-1
- SUSE-SU-2018:1642-1
- SUSE-SU-2018:1643-1
- SUSE-SU-2018:1644-1
- SUSE-SU-2018:1645-1
- SUSE-SU-2018:1648-1
- SUSE-SU-2018:3230-1
- USN-3641-1
- USN-3641-2
- VU:631579
Source | # ID | Name | URL |
---|---|---|---|
Xen Project | XSA-260 | Security Advisory | http://xenbits.xen.org/xsa/advisory-260.html |
Xen Project | XSA-260 | Signed Security Advisory | http://xenbits.xen.org/xsa/advisory-260.txt |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:generic/xen | xen | = 4.6.x | ||||
Affected | pkg:generic/xen | xen | = 4.7.x | ||||
Affected | pkg:generic/xen | xen | = 4.8.x | ||||
Affected | pkg:generic/xen | xen | = 4.9.x | ||||
Affected | pkg:generic/xen | xen | = 4.10.x |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |