FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

xen-kernel -- x86: Mishandling of SYSCALL singlestep during emulation

Affected packages
xen-kernel < 4.7.1_2

Details

VuXML ID 942433db-c661-11e6-ae1b-002590263bf5
Discovery 2016-12-19
Entry 2016-12-20

The Xen Project reports:

The typical behaviour of singlestepping exceptions is determined at the start of the instruction, with a #DB trap being raised at the end of the instruction. SYSCALL (and SYSRET, although we don't implement it) behave differently because the typical behaviour allows userspace to escalate its privilege. (This difference in behaviour seems to be undocumented.) Xen wrongly raised the exception based on the flags at the start of the instruction.

Guest userspace which can invoke the instruction emulator can use this flaw to escalate its privilege to that of the guest kernel.

References

CVE Name CVE-2016-10013
URL http://xenbits.xen.org/xsa/advisory-204.html