XSA-76

CVE-2013-4554

问题描述

http://xenbits.xen.org/xsa/advisory-76.html

Hypercalls exposed to privilege rings 1 and 2 of HVM guests

The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through.

privilege uncheck/(inadequate check)

Patch描述

http://xenbits.xen.org/xsa/xsa76.patch

x86/HVM: only allow ring 0 guest code to make hypercalls

Anything else would allow for privilege escalation.

--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3359,7 +3359,7 @@ int hvm_do_hypercall(struct cpu_user_reg
     case 4:
     case 2:
         hvm_get_segment_register(curr, x86_seg_ss, &sreg);
-        if ( unlikely(sreg.attr.fields.dpl == 3) )
+        if ( unlikely(sreg.attr.fields.dpl) )
         {
     default:
             regs->eax = -EPERM;

Consequence

Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful hypercall use.

privileage escalation