Xen devel - Apr 2013 - Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1917 / XSA-44
                              version 2

                Xen PV DoS vulnerability with SYSENTER

UPDATES IN VERSION 2
===================
Public release.

ISSUE DESCRIPTION
================
The SYSENTER instruction can be used by PV guests to accelerate system
call processing. This instruction, however, leaves the EFLAGS register
mostly unmodified - in particular, the NT flag doesn''t get cleared. If
the hypervisor subsequently uses IRET to return to the guest (which it
will always do if the guest is a 32-bit one), that instruction will
cause a #GP fault to be raised, but the recovery code in the
hypervisor will again try to use IRET without intermediately clearing
the NT flag. The #GP fault raised on this second IRET is a fatal
event, causing the hypervisor to crash.

IMPACT
=====
Malicious or buggy unprivileged user space can cause the entire host to crash.

VULNERABLE SYSTEMS
=================
All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are
vulnerable.  32-bit Xen is not affected, as it doesn''t permit the use
of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn''t affected
since AMD CPUs don''t allow the use of SYSENTER in long mode.

The vulnerability is only exposed by PV guests.

MITIGATION
=========
Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD
CPUs will avoid this vulnerability.

RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.

xsa44-4.1.patch             Xen 4.1.x
xsa44-4.2.patch             Xen 4.2.x
xsa44-unstable.patch        xen-unstable

$ sha256sum xsa44*.patch
3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 
xsa44-4.1.patch
c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 
xsa44-4.2.patch
0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 
xsa44-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRb/ZcAAoJEIP+FMlX6CvZCwMH/iTJCG4P9d+0nADT6YB3JmPl
e9eO+cE+rGHBy5pdKAh1UF1JG9VvQe76hlJP3YS0QaXMNtN6k2dxoHZEj1hpSzKJ
Q+KfS/R9yvVlputbfsVPSYYTl1bzDzMlWqyy/cZUZZVpGkMhVw1dLjJp4NvohCWb
OABvchlbY1tW2Vk4tNWy4vhVGHdzxegrtttEuAIBoXHtCIIeH3/0nwqokahfKzog
cKr5+y9K0JgbFSGP25POu/e7s9+sUKjJfUsFVw3+HknBW+zgJZ8fcu+/J0eJlgb5
0tkq749p+DtRE+kqS4sSM71+iGmnpWh+a0lsBmhARa6pyKVN+ccMvzvh809ItQg=w315
-----END PGP SIGNATURE-----




_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1917 / XSA-44
                              version 3

                Xen PV DoS vulnerability with SYSENTER

UPDATES IN VERSION 3
===================
Backported patch for 4.0 now available.

ISSUE DESCRIPTION
================
The SYSENTER instruction can be used by PV guests to accelerate system
call processing. This instruction, however, leaves the EFLAGS register
mostly unmodified - in particular, the NT flag doesn''t get cleared. If
the hypervisor subsequently uses IRET to return to the guest (which it
will always do if the guest is a 32-bit one), that instruction will
cause a #GP fault to be raised, but the recovery code in the
hypervisor will again try to use IRET without intermediately clearing
the NT flag. The #GP fault raised on this second IRET is a fatal
event, causing the hypervisor to crash.

IMPACT
=====
Malicious or buggy unprivileged user space can cause the entire host to crash.

VULNERABLE SYSTEMS
=================
All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are
vulnerable.  32-bit Xen is not affected, as it doesn''t permit the use
of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn''t affected
since AMD CPUs don''t allow the use of SYSENTER in long mode.

The vulnerability is only exposed by PV guests.

MITIGATION
=========
Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD
CPUs will avoid this vulnerability.

RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.

xsa44-4.0.patch             Xen 4.0.x
xsa44-4.1.patch             Xen 4.1.x
xsa44-4.2.patch             Xen 4.2.x
xsa44-unstable.patch        xen-unstable

$ sha256sum xsa44*.patch
4de554d29adbae41a65d401becd9d074be27932ad9f3e0ed78ecb89de3ed35b5 
xsa44-4.0.patch
3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 
xsa44-4.1.patch
c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 
xsa44-4.2.patch
0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 
xsa44-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRb/oqAAoJEIP+FMlX6CvZ9EYH/2OAz/GRAX4A2Y52HoUfslN9
lZa4YNJOtPOuLITMeapu7MXBgRJYA/GPFzfBVlAoPNQTNpUD0Mfxvwz9mVGIUtNX
t0Mriz/oFGDqHzvz3rksmvG9y6tMfwa++srXms/uTXd3T1CxeGIHA4hMuvCRkMAU
HQHQ1pfsK6XGHV+ITeJVBGEwKh+aDxBfqIXDU1yhgTA9djpsHXWNAsu5mNRBsb0i
zMVxZg+x1maHhxigLwsEm1poxneWhkq+0pvTo/hCdK2XcK9NaUXNAALMZfQn5kgK
IwaC52V3FJSxErIWlZz6IW6Zq4tugzu/VJ92hrM0fubd04mfFG15+buc+NdUmvk=qSef
-----END PGP SIGNATURE-----





_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel