[xen] Hypervisor memory corruption due to x86 emulator flaw
myoung
myoung at fedoraproject.org
Tue Mar 10 22:09:52 UTC 2015
commit a2775c65933792f29fb43bb5a7ef4f4f8ea3394c
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Tue Mar 10 22:09:29 2015 +0000
Hypervisor memory corruption due to x86 emulator flaw
xen.spec | 8 +++++++-
xsa123.patch | 24 ++++++++++++++++++++++++
2 files changed, 31 insertions(+), 1 deletion(-)
---
diff --git a/xen.spec b/xen.spec
index 26addaf..d6e89e7 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.5.0
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -90,6 +90,7 @@ Patch21: xsa117.patch
Patch22: xen.gcc5.fix.patch
Patch23: xsa121.patch
Patch24: xsa122.patch
+Patch25: xsa123.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel
@@ -279,6 +280,7 @@ manage Xen virtual machines.
%patch22 -p1
%patch23 -p1
%patch24 -p1
+%patch25 -p1
# stubdom sources
cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -783,6 +785,10 @@ rm -rf %{buildroot}
%endif
%changelog
+* Tue Mar 10 2015 Michael Young <m.a.young at durham.ac.uk> - 4.5.0-4
+- Hypervisor memory corruption due to x86 emulator flaw [XSA-123,
+ CVE-2015-2151] (#1200398)
+
* Thu Mar 05 2015 Michael Young <m.a.young at durham.ac.uk> - 4.5.0-3
- Information leak via internal x86 system device emulation [XSA-121,
CVE-2015-2044]
diff --git a/xsa123.patch b/xsa123.patch
new file mode 100644
index 0000000..653996d
--- /dev/null
+++ b/xsa123.patch
@@ -0,0 +1,24 @@
+x86emul: fully ignore segment override for register-only operations
+
+For ModRM encoded instructions with register operands we must not
+overwrite ea.mem.seg (if a - bogus in that case - segment override was
+present) as it aliases with ea.reg.
+
+This is CVE-2015-2151 / XSA-123.
+
+Reported-by: Felix Wilhelm <fwilhelm at ernw.de>
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+Reviewed-by: Keir Fraser <keir at xen.org>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1757,7 +1757,7 @@ x86_emulate(
+ }
+ }
+
+- if ( override_seg != -1 )
++ if ( override_seg != -1 && ea.type == OP_MEM )
+ ea.mem.seg = override_seg;
+
+ /* Early operand adjustments. */
More information about the scm-commits
mailing list