From: Jan Beulich <jbeulich@suse.com>
Date: Wed, 27 Nov 2013 08:01:49 +0000 (+0100)
Subject: x86/HVM: only allow ring 0 guest code to make hypercalls
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~5859
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22%22/%22http:/www.example.com/cgi/%22https:/%22%22?a=commitdiff_plain;h=5c447caaf49192c7b2c057ffbb565ce72aac666d;p=xen.git

x86/HVM: only allow ring 0 guest code to make hypercalls

Anything else would allow for privilege escalation.

This is CVE-2013-4554 / XSA-76.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index af249f7543..e2ba9ded0c 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3468,7 +3468,7 @@ int hvm_do_hypercall(struct cpu_user_regs *regs)
     case 4:
     case 2:
         hvm_get_segment_register(curr, x86_seg_ss, &sreg);
-        if ( unlikely(sreg.attr.fields.dpl == 3) )
+        if ( unlikely(sreg.attr.fields.dpl) )
         {
     default:
             regs->eax = -EPERM;