Xen Security Advisory 274 v2 (CVE-2018-14678) - Linux: Uninitialized state in x86 PV failsafe callback path
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2018-14678 / XSA-274
Linux: Uninitialized state in x86 PV failsafe callback path
UPDATES IN VERSION 2
CVE assigned. Fix the title to refer to the failsafe callback path.
Linux has a `failsafe` callback, invoked by Xen under certain
conditions. Normally in this failsafe callback, error_entry is paired
with error_exit; and error_entry uses %ebx to communicate to
error_exit whether to use the user or kernel return path.
Unfortunately, on 64-bit PV Xen on x86, error_exit is called without
error_entry being called first, leaving %ebx with an invalid value.
A rogue user-space program could crash a guest kernel. Privilege
escalation cannot be ruled out.
Only 64-bit x86 PV Linux systems are vulnerable.
All versions of Linux are vulnerable.
Switching to HVM or PVH guests will mitigate this issue.
This issue was discovered by M. Vefa Bicakci, and recognized as a
security issue by Andy Lutorminski.
Applying the appropriate attached patch resolves this issue.
NB this patch has not been accepted into Linux upstream yet. An
updated advisory will be sent if the fix upstreamed looks