xsa-182 / CVE-2016-6258

I would like to remind the Ubuntu team that this is a critical security issue since it's an VM escape!

Thank you for taking the time to report this bug and helping to make Ubuntu better.

This was not flagged as security so was only in the regular triage queue, not the security team's queue. I'll mark it accordingly.

Woops, thanks!

In addition, the CVE explanation by mitre[1] is wrong. It mentions: "The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries.".

However, 64-bit PV guest's seem to be vulnerable to the same bug as I confirmed yesterday by executing the PoC[2] by Quarkslab[3] in a 64-bit guest. By putting a patched kernel on the dom0, the PoC said it was no longer vulnerable.

I dropped the patch[4] in debian/patches and made reference to it in debian/patches/series and started a build of the xen-hypervisor-4.4-amd64 package.

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6258
[2] http://blog.quarkslab.com/resources/2016-08-04-xen_exploitation_part_3_xsa_148/xsa-182-poc.tar.gz
[3] http://blog.quarkslab.com/xen-exploitation-part-3-xsa-182-qubes-escape.html
[4] http://xenbits.xen.org/xsa/advisory-182.html

Hope this helps anyone!

Should now be fixed by latest security uploads.