Xen project Mailing List

[Xen-announce] Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Thu, 18 Apr 2013 13:36:19 +0000

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Thu, 18 Apr 2013 13:41:47 +0000

List-id: "Xen announcements $low volume$" <xen-announce.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1917 / XSA-44 version 2 Xen PV DoS vulnerability with SYSENTER UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn't get cleared. If the hypervisor subsequently uses IRET to return to the guest (which it will always do if the guest is a 32-bit one), that instruction will cause a #GP fault to be raised, but the recovery code in the hypervisor will again try to use IRET without intermediately clearing the NT flag. The #GP fault raised on this second IRET is a fatal event, causing the hypervisor to crash. IMPACT ====== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================== All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are vulnerable. 32-bit Xen is not affected, as it doesn't permit the use of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected since AMD CPUs don't allow the use of SYSENTER in long mode. The vulnerability is only exposed by PV guests. MITIGATION ========== Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD CPUs will avoid this vulnerability. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa44-4.1.patch Xen 4.1.x xsa44-4.2.patch Xen 4.2.x xsa44-unstable.patch xen-unstable $ sha256sum xsa44*.patch 3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 xsa44-4.1.patch c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch 0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 xsa44-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRb/ZcAAoJEIP+FMlX6CvZCwMH/iTJCG4P9d+0nADT6YB3JmPl e9eO+cE+rGHBy5pdKAh1UF1JG9VvQe76hlJP3YS0QaXMNtN6k2dxoHZEj1hpSzKJ Q+KfS/R9yvVlputbfsVPSYYTl1bzDzMlWqyy/cZUZZVpGkMhVw1dLjJp4NvohCWb OABvchlbY1tW2Vk4tNWy4vhVGHdzxegrtttEuAIBoXHtCIIeH3/0nwqokahfKzog cKr5+y9K0JgbFSGP25POu/e7s9+sUKjJfUsFVw3+HknBW+zgJZ8fcu+/J0eJlgb5 0tkq749p+DtRE+kqS4sSM71+iGmnpWh+a0lsBmhARa6pyKVN+ccMvzvh809ItQg= =w315 -----END PGP SIGNATURE-----

Attachment: xsa44-4.1.patch
Description: Binary data

Attachment: xsa44-4.2.patch
Description: Binary data

Attachment: xsa44-unstable.patch
Description: Binary data

_______________________________________________ Xen-announce mailing list Xen-announce@xxxxxxxxxxxxx http://lists.xen.org/xen-announce

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.