XSA-106

CVE-2014-7156

问题描述

http://xenbits.xen.org/xsa/advisory-1.html

Missing privilege level checks in x86 emulation of software interrupts

The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks.

permission uncheck (missing)

Patch描述

http://xenbits.xen.org/xsa/xsa106.patch

x86emul: only emulate software interrupt injection for real mode

Protected mode emulation currently lacks proper privilege checking of the referenced IDT entry, and there’s currently no legitimate way for any of the respective instructions to reach the emulator when the guest is in protected mode.

--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -2634,6 +2634,7 @@ x86_emulate(
     case 0xcd: /* int imm8 */
         src.val = insn_fetch_type(uint8_t);
     swint:
+        fail_if(!in_realmode(ctxt, ops)); /* XSA-106 */
         fail_if(ops->inject_sw_interrupt == NULL);
         rc = ops->inject_sw_interrupt(src.val, _regs.eip - ctxt->regs->eip,
                                       ctxt) ? : X86EMUL_EXCEPTION;

就是加了一句检查，判断其是否为real mode。

Consequence

Malicious HVM guest user mode code may be able to crash the guest.

guest DoS