Xen users - Jun 2012 - Xen Security Advisory 9 (CVE-2012-2934) - PV guest host DoS (AMD erratum #121)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-2934 / XSA-9
                            version 3

		   PV guest host Denial of Service

UPDATES IN VERSION 3
===================
Public release.  Previous versions were embargoed.

Remove leftover statement that CVE number had not been assigned.
The correct CVE for this issue is CVE-2012-2934.

ISSUE DESCRIPTION
================
A Xen user has discovered that some older AMD CPUs can be made to lock
up due to AMD processor erratum #121.

This issue was discovered during testing of the fix for XSA-7
(CVE-2012-0217). Although the two issues are unrelated the situations
which can trigger them may overlap.

REFERENCES
=========
AMD Erratum #121 is described in "Revision Guide for AMD Athlon 64 and AMD
Opteron Processors": http://support.amd.com/us/Processor_TechDocs/25759.pdf

IMPACT
=====
A guest user or administrator of a 64 bit PV guest on a vulnerable
system can cause the processor to lock up, leading to a Denial of
Service attack against the host.

Systems which run only 32 bit guest kernels are not vulnerable.

VULNERABLE SYSTEMS
=================
The following 130nm and 90nm (DDR1-only) AMD processors are subject
to this erratum:

 * First-generation AMD-Opteron(tm) single and dual core processors
   in either 939 or 940 packages:
   * AMD Opteron(tm) 100-Series Processors
   * AMD Opteron(tm) 200-Series Processors
   * AMD Opteron(tm) 800-Series Processors
 * AMD Athlon(tm) processors in either 754, 939 or 940 packages
 * AMD Sempron(tm) processor in either 754 or 939 packages
 * AMD Turion(tm) Mobile Technology in 754 package

None of the affected processors support AMD SVM.  Therefore, any
system which has any HVM Xen guests is not vulnerable.

This issue does not affect Intel processors.

MITIGATION
=========
Running a 64 bit PV guest kernel (which must necessarily be host
administrator controlled) which itself contains the fix for erratum
#121 will prevent unprivileged users in guests from exploiting this
issue.  All Windows operating systems and current versions of the
Linux and Solaris kernels, for example, are known to contain the fix
for erratum #121.

There is no mitigation when running untrusted 64 bit guest kernels or
against untrusted administrators of 64 bit guests.

Systems which run only 32 bit PV guest kernels are not
vulnerable. Note that this may mean only booting known good kernels or
vetting any user supplied kernels to ensure they are not 64 bit.

RESOLUTION
=========
There is no software fix for this issue. The workaround suggested by
AMD in erratum #121 cannot be applied to Xen since the relevant address
is under guest control.

Applying the patch will cause Xen to detect vulnerable systems and
refuse to boot. A command line override is provided to allow users who
accept the risks or who are able to mitigate as above to continue to
do so. To activate the override add "allow_unsafe" to your hypervisor
command line.

This change has been made to the staging Xen repositories:
  xen-unstable.hg      25481:bc2f3a848f9a
  xen-4.1-testing.hg   23301:a9c0a89c08f2
  xen-4.0-testing.hg   21592:e35c8bb53255

PATCH INFORMATION
================
 xen-unstable                                xsa9-unstable.patch  
 Xen 4.1, 4.1.x                              xsa9-xen-4.1.patch
 Xen 4.0, 4.0.x                              xsa9-xen-4.0.patch

$ sha256sum xsa9-*.patch
b48a2f1d5a7eb52f8533dccfb8bf0d6d403609011c1dd5915bcfcea92a5e8873 
xsa9-unstable.patch
8ec1fa01b8094750e908bd5992b451e5c2acbe97ea1061e20c9244909d960262 
xsa9-xen-4.0.patch
cb7686178ec8a2f021c01ae9706bfb3f1f44a098dba5723f1a645d959da5f2f3 
xsa9-xen-4.1.patch

NOTE REGARDING EMBARGO
=====================
Due to the relationship between this issue and XSA-7 (CVE-2012-0217),
we have concluded that this advisory should be under the same embargo
as XSA-7.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJP1yzzAAoJEIP+FMlX6CvZXvgH/1og/ULBFEj1E5i7eySDdbMl
RtFfxCXbtTcsUvBQNZ6oKLKYyumhfQPhGUyhq5epuxZVhFmYEHdztH3Gf1fQLXuN
AhGLomV3vA5ANzs2Dc+jvMhM25VWGekZbqQCfV+3FhZEyiqneUGbVUrvIJlpe3LH
b5g4gWgvPpsFUewTtR7MgqJgBbVi1KbIc69r1Fh3Y+i6/KczxDwGUXtcVv1BZ3HJ
Qkts3oT2bEFiqUgPtZKdRnKJegRJGQipOueqQMzYO5xtzElqGJVuD9C01VK2Qxzh
Og7jsvajNM+9ulw5tTkbc2p84KBKaV2zrivfLfptir5IZOhI6RN6v880iyrNvpw=X3We
-----END PGP SIGNATURE-----