Xen Security Advisory 239 - hypervisor stack leak in x86 I/O intercept code
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory XSA-239
hypervisor stack leak in x86 I/O intercept code
UPDATES IN VERSION 2
Intercepted I/O operations may deal with less than a full machine
word's worth of data. While read paths had been the subject of earlier
XSAs (and hence have been fixed), at least one write path was found
where the data stored into an internal structure could contain bits
from an uninitialized hypervisor stack slot. A subsequent emulated
read would then be able to retrieve these bits.
A malicious unprivileged x86 HVM guest may be able to obtain sensitive
information from the host or other guests.
All Xen versions are vulnerable.
Only x86 systems are affected. ARM systems are not affected.
Only HVM guests can leverage this vulnerability. PV guests cannot
leverage this vulnerability.
Running only PV guests will avoid this issue.
This issue was discovered by Roger Pau Monné of Citrix.
Applying the appropriate attached patch resolves this issue.
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)