hypervisor stack leak in x86 I/O intercept code

2017-10-12T12:00:00
ID XSA-239
Type xen
Reporter Xen Project
Modified 2017-10-12T12:16:00

Description

ISSUE DESCRIPTION

Intercepted I/O operations may deal with less than a full machine word's worth of data. While read paths had been the subject of earlier XSAs (and hence have been fixed), at least one write path was found where the data stored into an internal structure could contain bits from an uninitialized hypervisor stack slot. A subsequent emulated read would then be able to retrieve these bits.

IMPACT

A malicious unprivileged x86 HVM guest may be able to obtain sensitive information from the host or other guests.

VULNERABLE SYSTEMS

All Xen versions are vulnerable. Only x86 systems are affected. ARM systems are not affected. Only HVM guests can leverage this vulnerability. PV guests cannot leverage this vulnerability.