[xen/f20] Hypervisor memory corruption due to x86 emulator flaw

myoung myoung at fedoraproject.org
Wed Mar 11 21:43:56 UTC 2015 

commit 11bc0fcc35647b74f8eba57d97402485df7ef189
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Wed Mar 11 21:43:04 2015 +0000

    Hypervisor memory corruption due to x86 emulator flaw

 xen.spec             |  8 +++++++-
 xsa123-4.3-4.2.patch | 24 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)
---
diff --git a/xen.spec b/xen.spec
index 96c43a5..93ef29c 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.3.3
-Release: 10%{?dist}
+Release: 11%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -120,6 +120,7 @@ Patch36: xl.migrate.debug.fail.fix.patch
 Patch37: xsa116-4.3-4.2.patch
 Patch38: xsa121.patch
 Patch39: xsa122.patch
+Patch40: xsa123-4.3-4.2.patch
 
 
 Patch100: xen-configure-xend.patch
@@ -324,6 +325,7 @@ manage Xen virtual machines.
 %patch37 -p1
 %patch38 -p1
 %patch39 -p1
+%patch40 -p1
 
 %patch100 -p1
 
@@ -897,6 +899,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Wed Mar 11 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.3-11
+- Hypervisor memory corruption due to x86 emulator flaw [XSA-123,
+	CVE-2015-2151] (#1200398)
+
 * Thu Mar 05 2015 Michael Young <m.a.young at durham.ac.uk> - 4.3.3-10
 - Information leak via internal x86 system device emulation [XSA-121,
 	CVE-2015-2044]
diff --git a/xsa123-4.3-4.2.patch b/xsa123-4.3-4.2.patch
new file mode 100644
index 0000000..cb03907
--- /dev/null
+++ b/xsa123-4.3-4.2.patch
@@ -0,0 +1,24 @@
+x86emul: fully ignore segment override for register-only operations
+
+For ModRM encoded instructions with register operands we must not
+overwrite ea.mem.seg (if a - bogus in that case - segment override was
+present) as it aliases with ea.reg.
+
+This is CVE-2015-2151 / XSA-123.
+
+Reported-by: Felix Wilhelm <fwilhelm at ernw.de>
+Signed-off-by: Jan Beulich <jbeulich at suse.com>
+Reviewed-by: Tim Deegan <tim at xen.org>
+Reviewed-by: Keir Fraser <keir at xen.org>
+
+--- a/xen/arch/x86/x86_emulate/x86_emulate.c
++++ b/xen/arch/x86/x86_emulate/x86_emulate.c
+@@ -1640,7 +1640,7 @@ x86_emulate(
+         }
+     }
+ 
+-    if ( override_seg != -1 )
++    if ( override_seg != -1 && ea.type == OP_MEM )
+         ea.mem.seg = override_seg;
+ 
+     /* Decode and fetch the source operand: register, memory or immediate. */

More information about the scm-commits mailing list