Linux: Uninitialized state in PV syscall return path

2018-07-25T16:39:00
ID XSA-274
Type xen
Reporter Xen Project
Modified 2018-07-25T16:39:00

Description

ISSUE DESCRIPTION

Linux has a failsafe callback, invoked by Xen under certain conditions. Normally in this failsafe callback, error_entry is paired with error_exit; and error_entry uses %ebx to communicate to error_exit whether to use the user or kernel return path. Unfortunately, on 64-bit PV Xen on x86, error_exit is called without error_entry being called first, leaving %ebx with an invalid value.

IMPACT

A rogue user-space program could crash a guest kernel. Privilege escalation cannot be ruled out.

VULNERABLE SYSTEMS

Only 64-bit x86 PV Linux systems are vulnerable. All versions of Linux are vulnerable.