Hi all- For those who are seeing this for the first time: any 64-bit Xen PV domain with IO port access privileges (in practice, this means dom0 AFAIK) and any user programs that use iopl(3) (various old X drivers, presumably) is probably vulnerable to privilege escalations by unprivileged programs running in the same PV domain.
There's a long public description of the issue here: http://xenbits.xen.org/xsa/advisory-171.html Changes from v3: - Add Jan's R-b. - No longer embargoed Changes from v2: Pretend v2 never happened... Changes from v1: Use xen/hypervisor.h instead of xen-ops.h (Jan) Andy Lutomirski (3): selftests/x86: Add a iopl test x86/iopl/64: Properly context-switch IOPL on Xen PV x86/iopl: Fix iopl capability check on Xen PV arch/x86/include/asm/xen/hypervisor.h | 2 + arch/x86/kernel/ioport.c | 12 ++- arch/x86/kernel/process_64.c | 12 +++ arch/x86/xen/enlighten.c | 2 +- tools/testing/selftests/x86/Makefile | 2 +- tools/testing/selftests/x86/iopl.c | 135 ++++++++++++++++++++++++++++++++++ 6 files changed, 160 insertions(+), 5 deletions(-) create mode 100644 tools/testing/selftests/x86/iopl.c -- 2.5.0