[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 54 (CVE-2013-2078) - Hypervisor crash due to missing exception recovery on XSETBV



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-2078 / XSA-54
                            version 3

       Hypervisor crash due to missing exception recovery on XSETBV

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Processors do certain validity checks on the register values passed to
XSETBV.  For the PV emulation path for that instruction the hypervisor
code didn't check for certain invalid bit combinations, thus exposing
itself to a fault occurring when invoking that instruction on behalf
of the guest.

IMPACT
======

Malicious or buggy unprivileged user space can cause the entire host
to crash.

VULNERABLE SYSTEMS
==================

Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting XSAVE.  Only PV guests can exploit the vulnerability.

In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the "xsave"
hypervisor command line option.

Systems using processors not supporting XSAVE are not vulnerable.

Xen 3.x and earlier are not vulnerable.

MITIGATION
==========

Turning off XSAVE support via the "no-xsave" hypervisor command line
option will avoid the vulnerability.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa54.patch                 Xen 4.1.x, Xen 4.2.x, xen-unstable

$ sha256sum xsa54-*.patch
5d94946b3c9cba52aae2bffd4b0ebb11d09181650b5322a3c85170674a05f6b7  xsa54.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRrMHJAAoJEIP+FMlX6CvZo7QH/insD6Ggb7vo09gEHuwktsXr
yv0S1/ITk7dtGvHzhDKS3DS0AdYQeaHzU9MxH2/Cfa4GOQKGRTLNSfSpqZbd2hoB
ZLhKwxA4nriCkW/Igzv6u7dxD5NuoRNE2lxyWIBaIHXczr4HvRJQin8pjKnzKujJ
YQPbvgNqfuk/AhjxoZuZrhD3IN5RJm0+K6bkqRZQJt+IwI5jeu4n9xFJsS6joAdC
ch/T1ADbt/OVeQFXvz1xGb0+OXo+Xs7kQCbZWT3ZNUMwx+JXw94WI5MTqMrXGVPC
bBUNxk64dvOThbLLF0O9mv03L/bIWHM8kWJD61JJGhMTnlx7uFJ0SFdPzGhMPd8=
=dCbn
-----END PGP SIGNATURE-----

Attachment: xsa54.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.