CVE-2016-3158

NameCVE-2016-3158
DescriptionThe xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-571-1, DSA-3554-1
NVD severitylow (attack range: local)
Debian Bugs823620

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xen (PTS)wheezy4.1.4-3+deb7u9vulnerable
wheezy (security)4.1.6.lts1-8fixed
jessie4.4.1-9+deb8u9fixed
jessie (security)4.4.1-9+deb8u10fixed
buster, sid, stretch4.8.1-1+deb9u1fixed
stretch (security)4.8.1-1+deb9u3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xensource(unstable)4.8.0~rc3-1low823620
xensourcejessie4.4.1-9+deb8u5lowDSA-3554-1
xensourcewheezy4.1.6.lts1-1lowDLA-571-1

Notes

http://xenbits.xen.org/xsa/advisory-172.html
CVE-2016-3158 is for the code change which is required for all
versions (but which is sufficient only on Xen 4.3.x, and insufficient
on later versions). Ie for the second hunk in xsa172.patch (the only
hunk in xsa172-4.3.patch), which patches the function xrstor.

Search for package or bug name: Reporting problems