Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation

2014-09-23T12:00:00
ID XSA-105
Type xen
Reporter Xen Project
Modified 2014-09-24T10:29:00

Description

ISSUE DESCRIPTION

The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when the instruction's memory operand (if any) lives in (emulated or passed through) memory mapped IO space, - in the case of guests running in 32-bit PAE mode, when such an instruction is (in execution flow) within four instructions of one doing a page table update, - when an Invalid Opcode exception gets raised by a guest instruction, and the guest then (likely maliciously) alters the instruction to become one of the affected ones. Malicious guest user mode code may be able to leverage this to install e.g. its own Interrupt Descriptor Table (IDT).

IMPACT

Malicious HVM guest user mode code may be able to crash the guest or escalate its own privilege to guest kernel mode.

VULNERABLE SYSTEMS

Xen versions from at least 3.2.x onwards are vulnerable. Older versions have not been inspected. Only user processes in HVM guests can take advantage of this vulnerability.