Vigil@nce - Xen: information disclosure via I/O Emulation
October 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker located in a HVM guest can use input/output
operations, to read Xen memory, in order to obtain sensitive
information.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 30/09/2013
DESCRIPTION OF THE VULNERABILITY
A HVM (Hardware Virtual Machine) guest system uses resources of
the physical system.
When an error occurs during the copy of memory data, several error
codes are used:
– HVMCOPY_bad_gva_to_gfn
– HVMCOPY_gfn_paged_out
– HVMCOPY_gfn_shared
– etc.
However, several functions of the xen/arch/x86/hvm/ directory do
not process all error cases. Some error cases are thus ignored,
and Xen continues its execution path and returns data to the user.
An attacker located in a HVM guest can therefore use input/output
operations, to read Xen memory, in order to obtain sensitive
information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-information-disclosure-via-I-O-Emulation-13505