Vigil@nce - Xen: information disclosure via FBLD
October 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker located in a guest system can use the FBLD
instruction, to read data from other Xen guests, in order to
obtain sensitive information.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 30/09/2013
DESCRIPTION OF THE VULNERABILITY
The FBLD (Load Binary Coded Decimal) assembler instruction loads a
decimal number and then converts it to a real number.
The x86_emulate() function of the xen/arch/x86/x86_emulate/x86_emulate.c
file implements the FBLD instruction. However, the source address
is not initialized. The guest system thus obtains a value
originating from the hypervisor stack.
An attacker located in a guest system can therefore use the FBLD
instruction, to read data from other Xen guests, in order to
obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-information-disclosure-via-FBLD-13507