Flaw in handling unknown system register access from 64-bit userspace on ARM

2014-08-12T12:00:00
ID XSA-103
Type xen
Reporter Xen Project
Modified 2014-08-12T13:02:00

Description

ISSUE DESCRIPTION

When handling an unknown system register access from 64-bit userspace Xen would incorrectly return to the second instruction of the trap handler for faults in kernel space rather than the first instruction of the trap handler for faults in 64-bit userspace. Any user in a guest which is running a 64-bit kernel who is able to spawn a 64-bit process can cause a trap to the kernel to be taken at an unexpected (but not user controlled) exception address. Known versions of Linux in the default configuration will Oops and kill the offending process, and therefore avoid this vulnerability. However local configuration may turn such an Oops into a kernel panic, and therefore a guest denial of service.

IMPACT

Depending on the guest kernel implementation, kernel crash (guest DoS) or privilege elevation to that of the guest kernel cannot be ruled out. This issue does not enable an attack on the host.

VULNERABLE SYSTEMS

64-bit ARM systems may be vulnerable, depending on the guest kernel. All versions of Linux released by Linux upstream to date avoid this vulnerability. Systems based on modified versions of Linux may be vulnerable. 32-bit ARM systems, and X86 systems, are not vulnerable.