diff options
author | Matthew Daley <mattjd@gmail.com> | 2013-10-10 15:25:58 +0200 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2013-10-10 15:25:58 +0200 |
commit | 5ceec62beb350d37515341f400b170c5425d065f (patch) | |
tree | a9ec3fc7281690db32cf1c8e9b0d23c81ae081e0 /tools | |
parent | ca0fe6dc4ff9fd12bca751d73b20b309f0444ae2 (diff) | |
download | xen-stable-4.1.tar.gz xen-stable-4.1.tar.bz2 xen-stable-4.1.zip |
x86: check segment descriptor read result in 64-bit OUTS emulationstaging-4.1stable-4.1
When emulating such an operation from a 64-bit context (CS has long
mode set), and the data segment is overridden to FS/GS, the result of
reading the overridden segment's descriptor (read_descriptor) is not
checked. If it fails, data_base is left uninitialized.
This can lead to 8 bytes of Xen's stack being leaked to the guest
(implicitly, i.e. via the address given in a #PF).
Coverity-ID: 1055116
This is CVE-2013-4368 / XSA-67.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Fix formatting.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
master commit: 0771faba163769089c9f05f7f76b63e397677613
master date: 2013-10-10 15:19:53 +0200
Diffstat (limited to 'tools')
0 files changed, 0 insertions, 0 deletions