Allele Security Intelligence - ASA-2019-00628 – Xen: Missing descriptor table limit checking in x86 PV emulation

Allele Security Alert

ASA-2019-00628

Identifier(s)

ASA-2019-00628, CVE-2019-18425, XSA-298

Title

Missing descriptor table limit checking in x86 PV emulation

Vendor(s)

The Xen Project

Product(s)

Xen

Affected version(s)

Xen versions from at least 3.2 onwards

Fixed version(s)

Xen 4.9 with the following patch applied:

x86/PV: check GDT/LDT limits during emulation
https://xenbits.xen.org/xsa/xsa298-4.9.patch

Xen 4.10 with the following patch applied:

x86/PV: check GDT/LDT limits during emulation
https://xenbits.xen.org/xsa/xsa298-4.10.patch

Xen 4.11 with the following patch applied:

x86/PV: check GDT/LDT limits during emulation
https://xenbits.xen.org/xsa/xsa298-4.11.patch

Proof of concept

Unknown

Description

32-bit PV guest user mode can elevate its privileges to that of the guest kernel.

Technical details

When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT.

Credits

Andrew Cooper (Citrix)

Reference(s)

XSA-298 – Xen Security Advisories
https://xenbits.xen.org/xsa/advisory-298.html

oss-security – Xen Security Advisory 298 v3 (CVE-2019-18425) – missing descriptor table limit checking in x86 PV emulation
https://www.openwall.com/lists/oss-security/2019/10/31/2