Vigil@nce - Xen: information disclosure via CMPXCHG8B
December 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker, inside a guest system, can use an instruction
CMPXCHG8B, in order to fetch some bytes of Xen’ stack, on the host
system.
Impacted products: XenServer, Fedora, SUSE Linux Enterprise
Desktop, SLES, Xen.
Severity: 1/4.
Creation date: 14/12/2016.
DESCRIPTION OF THE VULNERABILITY
The Xen product can emulate x86 instructions.
Some instructions may be modified with an operand size prefix that
states the length of the memory access. Thus prefix should not be
taken into account for the instruction CMPXCHG8B. However, some
parts of the hypervisor do use it.
A local attacker, inside a guest system, can therefore use an
instruction CMPXCHG8B, in order to fetch some bytes of Xen’ stack,
on the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Xen-information-disclosure-via-CMPXCHG8B-21386