Xen.org security team
2013-Apr-18 13:36 UTC
Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1917 / XSA-44 version 2 Xen PV DoS vulnerability with SYSENTER UPDATES IN VERSION 2 =================== Public release. ISSUE DESCRIPTION ================ The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn''t get cleared. If the hypervisor subsequently uses IRET to return to the guest (which it will always do if the guest is a 32-bit one), that instruction will cause a #GP fault to be raised, but the recovery code in the hypervisor will again try to use IRET without intermediately clearing the NT flag. The #GP fault raised on this second IRET is a fatal event, causing the hypervisor to crash. IMPACT ===== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================= All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are vulnerable. 32-bit Xen is not affected, as it doesn''t permit the use of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn''t affected since AMD CPUs don''t allow the use of SYSENTER in long mode. The vulnerability is only exposed by PV guests. MITIGATION ========= Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD CPUs will avoid this vulnerability. RESOLUTION ========= Applying the appropriate attached patch resolves this issue. xsa44-4.1.patch Xen 4.1.x xsa44-4.2.patch Xen 4.2.x xsa44-unstable.patch xen-unstable $ sha256sum xsa44*.patch 3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 xsa44-4.1.patch c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch 0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 xsa44-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRb/ZcAAoJEIP+FMlX6CvZCwMH/iTJCG4P9d+0nADT6YB3JmPl e9eO+cE+rGHBy5pdKAh1UF1JG9VvQe76hlJP3YS0QaXMNtN6k2dxoHZEj1hpSzKJ Q+KfS/R9yvVlputbfsVPSYYTl1bzDzMlWqyy/cZUZZVpGkMhVw1dLjJp4NvohCWb OABvchlbY1tW2Vk4tNWy4vhVGHdzxegrtttEuAIBoXHtCIIeH3/0nwqokahfKzog cKr5+y9K0JgbFSGP25POu/e7s9+sUKjJfUsFVw3+HknBW+zgJZ8fcu+/J0eJlgb5 0tkq749p+DtRE+kqS4sSM71+iGmnpWh+a0lsBmhARa6pyKVN+ccMvzvh809ItQg=w315 -----END PGP SIGNATURE----- _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Xen.org security team
2013-Apr-18 13:50 UTC
Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-1917 / XSA-44 version 3 Xen PV DoS vulnerability with SYSENTER UPDATES IN VERSION 3 =================== Backported patch for 4.0 now available. ISSUE DESCRIPTION ================ The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn''t get cleared. If the hypervisor subsequently uses IRET to return to the guest (which it will always do if the guest is a 32-bit one), that instruction will cause a #GP fault to be raised, but the recovery code in the hypervisor will again try to use IRET without intermediately clearing the NT flag. The #GP fault raised on this second IRET is a fatal event, causing the hypervisor to crash. IMPACT ===== Malicious or buggy unprivileged user space can cause the entire host to crash. VULNERABLE SYSTEMS ================= All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are vulnerable. 32-bit Xen is not affected, as it doesn''t permit the use of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn''t affected since AMD CPUs don''t allow the use of SYSENTER in long mode. The vulnerability is only exposed by PV guests. MITIGATION ========= Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD CPUs will avoid this vulnerability. RESOLUTION ========= Applying the appropriate attached patch resolves this issue. xsa44-4.0.patch Xen 4.0.x xsa44-4.1.patch Xen 4.1.x xsa44-4.2.patch Xen 4.2.x xsa44-unstable.patch xen-unstable $ sha256sum xsa44*.patch 4de554d29adbae41a65d401becd9d074be27932ad9f3e0ed78ecb89de3ed35b5 xsa44-4.0.patch 3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 xsa44-4.1.patch c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch 0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 xsa44-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRb/oqAAoJEIP+FMlX6CvZ9EYH/2OAz/GRAX4A2Y52HoUfslN9 lZa4YNJOtPOuLITMeapu7MXBgRJYA/GPFzfBVlAoPNQTNpUD0Mfxvwz9mVGIUtNX t0Mriz/oFGDqHzvz3rksmvG9y6tMfwa++srXms/uTXd3T1CxeGIHA4hMuvCRkMAU HQHQ1pfsK6XGHV+ITeJVBGEwKh+aDxBfqIXDU1yhgTA9djpsHXWNAsu5mNRBsb0i zMVxZg+x1maHhxigLwsEm1poxneWhkq+0pvTo/hCdK2XcK9NaUXNAALMZfQn5kgK IwaC52V3FJSxErIWlZz6IW6Zq4tugzu/VJ92hrM0fubd04mfFG15+buc+NdUmvk=qSef -----END PGP SIGNATURE----- _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel