Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-14678: 274 - Xen Security Advisories

An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.

CVE
#linux#dos#php#perl

Information

Advisory

XSA-274

Public release

2018-07-25 16:39

Updated

2018-08-15 16:09

Version

3

CVE(s)

CVE-2018-14678

Title

Linux: Uninitialized state in x86 PV failsafe callback path

Filesadvisory-274.txt (signed advisory file)
xsa274-linux-4.17.patchAdvisory

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

        Xen Security Advisory CVE-2018-14678 / XSA-274
                           version 3

  Linux: Uninitialized state in x86 PV failsafe callback path

UPDATES IN VERSION 3

Fix spelling in CREDITS.

ISSUE DESCRIPTION

Linux has a `failsafe` callback, invoked by Xen under certain conditions. Normally in this failsafe callback, error_entry is paired with error_exit; and error_entry uses %ebx to communicate to error_exit whether to use the user or kernel return path.

Unfortunately, on 64-bit PV Xen on x86, error_exit is called without error_entry being called first, leaving %ebx with an invalid value.

IMPACT

A rogue user-space program could crash a guest kernel. Privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS

Only 64-bit x86 PV Linux systems are vulnerable.

All versions of Linux are vulnerable.

MITIGATION

Switching to HVM or PVH guests will mitigate this issue.

CREDITS

This issue was discovered by M. Vefa Bicakci, and recognized as a security issue by Andy Lutomirski.

RESOLUTION

Applying the appropriate attached patch resolves this issue.

NB this patch has not been accepted into Linux upstream yet. An updated advisory will be sent if the fix upstreamed looks significantly different.

xsa274-linux-4.17.patch Linux 4.17

$ sha256sum xsa274* 0c30cb13d1d573f446c8cb8d4824ffad8ef9149a7589a19ef9bcc83c07bddcf5 xsa274-linux-4.17.patch $

NOTE ON THE LACK OF EMBARGO

The patch for this issue was published on linux-kernel without being first reported to the XenProject Security Team.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQEcBAEBCAAGBQJbdFA5AAoJEIP+FMlX6CvZWQQIAIxMK2w6CsH2aNQRDiDrgcBc 2FkBbroS5I1XHEhWVyO19aPhp1R3mYNU+pTUUFOevQuKvTP0nuZ0csgk5LUj9UP7 EE/3vM3jkAfmIIuXCAegOcznnEl6Wi9aMKGVXcxMkRu9qjKStGr4We5qvmdPncUj DkTdD6VbmM/Q665b0jU4j2aZPDMsH63qrsbz1rsnPAlYUi1R+yKw56Q5UdRJK17j Jc74v+elyqOkFq7QwH1usfnko+DQziLyLqEBQOztTSps2qYM+VwHLAZkhxNyuLsu 2x9/1D8XoZ+BHvVsVe50QmoNcJViMMunnHNhWYHmtXLYFErwUOt48N1vl+3xFpo= =k4Ak -----END PGP SIGNATURE-----

Xenproject.org Security Team

Related news

CVE-2019-7222: [SECURITY] Fedora 28 Update: kernel-4.20.8-100.fc28 - package-announce

The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907