FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

xen-kernel -- x86 CMPXCHG8B emulation fails to ignore operand size override

Affected packages
xen-kernel < 4.7.1_1


VuXML ID 80a897a2-c1a6-11e6-ae1b-002590263bf5
Discovery 2016-12-13
Entry 2016-12-14

The Xen Project reports:

The x86 instruction CMPXCHG8B is supposed to ignore legacy operand size overrides; it only honors the REX.W override (making it CMPXCHG16B). So, the operand size is always 8 or 16. When support for CMPXCHG16B emulation was added to the instruction emulator, this restriction on the set of possible operand sizes was relied on in some parts of the emulation; but a wrong, fully general, operand size value was used for other parts of the emulation. As a result, if a guest uses a supposedly-ignored operand size prefix, a small amount of hypervisor stack data is leaked to the guests: a 96 bit leak to guests running in 64-bit mode; or, a 32 bit leak to other guests.

A malicious unprivileged guest may be able to obtain sensitive information from the host.


CVE Name CVE-2016-9932