Allele Security Alert
ASA-2019-00628
Identifier(s)
ASA-2019-00628, CVE-2019-18425, XSA-298
Title
Missing descriptor table limit checking in x86 PV emulation
Vendor(s)
The Xen Project
Product(s)
Xen
Affected version(s)
Xen versions from at least 3.2 onwards
Fixed version(s)
Xen 4.9 with the following patch applied:
x86/PV: check GDT/LDT limits during emulation
https://xenbits.xen.org/xsa/xsa298-4.9.patch
Xen 4.10 with the following patch applied:
x86/PV: check GDT/LDT limits during emulation
https://xenbits.xen.org/xsa/xsa298-4.10.patch
Xen 4.11 with the following patch applied:
x86/PV: check GDT/LDT limits during emulation
https://xenbits.xen.org/xsa/xsa298-4.11.patch
Proof of concept
Unknown
Description
32-bit PV guest user mode can elevate its privileges to that of the guest kernel.
Technical details
When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT.
Credits
Andrew Cooper (Citrix)
Reference(s)
XSA-298 – Xen Security Advisories
https://xenbits.xen.org/xsa/advisory-298.html
oss-security – Xen Security Advisory 298 v3 (CVE-2019-18425) – missing descriptor table limit checking in x86 PV emulation
https://www.openwall.com/lists/oss-security/2019/10/31/2
x86/PV: check GDT/LDT limits during emulation
https://xenbits.xen.org/xsa/xsa298-4.9.patch
x86/PV: check GDT/LDT limits during emulation
https://xenbits.xen.org/xsa/xsa298-4.10.patch
x86/PV: check GDT/LDT limits during emulation
https://xenbits.xen.org/xsa/xsa298-4.11.patch
CVE-2019-18425
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18425
CVE-2019-18425
https://nvd.nist.gov/vuln/detail/CVE-2019-18425
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 7, 2019