Xen ProjectXSA-66Information leak through fbld instruction emulation
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
25.0%
ISSUE DESCRIPTION
The emulation of the fbld instruction (which is used during I/O emulation) uses the wrong variable for the source effective address. As a result, the actual address used is an uninitialised bit pattern from the stack.
A malicious guest might be able to find out information about the contents of the hypervisor stack, by observing which values are actually being used by fbld and inferring what the address must have been. Depending on the actual values on the stack this attack might be very difficult to carry out.
IMPACT
A malicious guest might conceivably gain access to sensitive data relating to other guests.
VULNERABLE SYSTEMS
Xen 3.3.x and later are vulnerable.
Only HVM guests can take advantage of this vulnerability.
Related
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
25.0%