CVE-2013-4554
http://xenbits.xen.org/xsa/advisory-76.html
Hypercalls exposed to privilege rings 1 and 2 of HVM guests
The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through.
privilege uncheck/(inadequate check)
http://xenbits.xen.org/xsa/xsa76.patch
x86/HVM: only allow ring 0 guest code to make hypercalls
Anything else would allow for privilege escalation.
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3359,7 +3359,7 @@ int hvm_do_hypercall(struct cpu_user_reg
case 4:
case 2:
hvm_get_segment_register(curr, x86_seg_ss, &sreg);
- if ( unlikely(sreg.attr.fields.dpl == 3) )
+ if ( unlikely(sreg.attr.fields.dpl) )
{
default:
regs->eax = -EPERM;
Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful hypercall use.
privileage escalation