[xen/f20] Hypervisor memory corruption due to x86 emulator flaw
myoung
myoung at fedoraproject.org
Wed Mar 11 21:43:56 UTC 2015
commit 11bc0fcc35647b74f8eba57d97402485df7ef189
Author: Michael Young <m.a.young at durham.ac.uk>
Date: Wed Mar 11 21:43:04 2015 +0000
Hypervisor memory corruption due to x86 emulator flaw
xen.spec | 8 +++++++-
xsa123-4.3-4.2.patch | 24 ++++++++++++++++++++++++
2 files changed, 31 insertions(+), 1 deletion(-)
---
diff --git a/xen.spec b/xen.spec
index 96c43a5..93ef29c 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.3.3
-Release: 10%{?dist}
+Release: 11%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
@@ -120,6 +120,7 @@ Patch36: xl.migrate.debug.fail.fix.patch
Patch37: xsa116-4.3-4.2.patch
Patch38: xsa121.patch
Patch39: xsa122.patch
+Patch40: xsa123-4.3-4.2.patch
Patch100: xen-configure-xend.patch
@@ -324,6 +325,7 @@ manage Xen virtual machines.
%patch37 -p1
%patch38 -p1
%patch39 -p1
+%patch40 -p1
%patch100 -p1
@@ -897,6 +899,10 @@ rm -rf %{buildroot}
%endif
%changelog
+* Wed Mar 11 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.3-11
+- Hypervisor memory corruption due to x86 emulator flaw [XSA-123,
+ CVE-2015-2151] (#1200398)
+
* Thu Mar 05 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.3-10
- Information leak via internal x86 system device emulation [XSA-121,
CVE-2015-2044]
diff --git a/xsa123-4.3-4.2.patch b/xsa123-4.3-4.2.patch
new file mode 100644
index 0000000..cb03907
--- /dev/null
+++ b/xsa123-4.3-4.2.patch
@@ -0,0 +1,24 @@
+x86emul: fully ignore segment override for register-only operations
+
+For ModRM encoded instructions with register operands we must not
+overwrite ea.mem.seg (if a - bogus in that case - segment override was
+present) as it aliases with ea.reg.
+
+This is CVE-2015-2151 / XSA-123.
+
+Reported-by: Felix Wilhelm <fwilhelm at ernw.de>
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+Reviewed-by: Keir Fraser <keir at xen.org>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1640,7 +1640,7 @@ x86_emulate(
+ }
+ }
+
+- if ( override_seg != -1 )
++ if ( override_seg != -1 && ea.type == OP_MEM )
+ ea.mem.seg = override_seg;
+
+ /* Decode and fetch the source operand: register, memory or immediate. */
More information about the scm-commits
mailing list