x86/HVM: only allow ring 0 guest code to make hypercalls

Anything else would allow for privilege escalation.

This is CVE-2013-4554 / XSA-76.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
master commit: 5c447caaf49192c7b2c057ffbb565ce72aac666d
master date: 2013-11-27 09:01:49 +0100

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index dc2481032045b80b9e2b773886ef27eb20986738..9a0a91e8601559ff75a476649589183637d035da 100644 (file)
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -2828,7 +2828,7 @@ int hvm_do_hypercall(struct cpu_user_regs *regs)
     case 4:
     case 2:
         hvm_get_segment_register(curr, x86_seg_ss, &sreg);
-        if ( unlikely(sreg.attr.fields.dpl == 3) )
+        if ( unlikely(sreg.attr.fields.dpl) )
         {
     default:
             regs->eax = -EPERM;