Xen.org security team
2014-Apr-22 15:06 UTC
Xen Security Advisory 93 - Hardware features unintentionally exposed to guests on ARM
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-93 Hardware features unintentionally exposed to guests on ARM ISSUE DESCRIPTION ================ When running on an ARM platform Xen was not correctly configuring the hardware virtualisation platform and therefore did not prevent guests from accessing various hardware features including cache control, coprocessors, debug registers and various processor specific registers. IMPACT ===== By accessing these hardware facilities a malicious or buggy guest may be able to cause various issues, including crashing the host, crashing other guests (including control domains) and data corruption. Privilege escalation is not thought to be possible but has not been ruled out. VULNERABLE SYSTEMS ================= Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onwards. x86 systems are not vulnerable. MITIGATION ========= None. NOTE REGARDING LACK OF EMBARGO ============================= This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. The public mailing list thread contains information strongly suggestive of a security bug and included example code which can crash the host. CREDITS ====== The initial bug was discovered by Thomas Leonard and further followup issues were discovered by Julien Grall. RESOLUTION ========= Applying the attached patches resolves this issue. xsa93-unstable-{01..06}.patch xen-unstable xsa93-4.4-{01..06}.patch Xen 4.4.x $ sha256sum xsa93*.patch 9a01ed1c7d33d2381594af3b0985df50f3aa7f13f5a9989595427407c5a5eb06 xsa93-4.4-01.patch 68ec2bdb48dd232dbabefbe7c971546b52d7001a128471226a41f36e27a806f2 xsa93-4.4-02.patch 541d2d57ee85a9603ae4bf00bb321f6f491354df9e15eb09ddb5ccba68333ecc xsa93-4.4-03.patch 6a3736e5dea1d45df6b979f02e06e058d8dffdbcf128d2d0984db404a87ebb62 xsa93-4.4-04.patch 282e2cf82ad4345573d21351c242684cd09f384bcd76c262740f9e33f8b04c9c xsa93-4.4-05.patch e212ad288eaeccf6a33cab27ecc6515a889365b0c56b5010e91a603ce239a38b xsa93-4.4-06.patch 9a01ed1c7d33d2381594af3b0985df50f3aa7f13f5a9989595427407c5a5eb06 xsa93-unstable-01.patch 9b472975087dee1d22db8e5f3e55b1589910d84de86b2cad218bfd540fbbd92e xsa93-unstable-02.patch f921ba7c1b216dd425035f94ac9eef9374ae5eba4af4cb5a3b7aa3f958a0a767 xsa93-unstable-03.patch 45b7e6b226a4449370c4dbe21aa71c398955e4ed2bc7cf9e4426f29583af14be xsa93-unstable-04.patch 282e2cf82ad4345573d21351c242684cd09f384bcd76c262740f9e33f8b04c9c xsa93-unstable-05.patch e2668f0ecf1e79aa30928791b92a15c15821c8bce7958a5c3fee7563cf81960b xsa93-unstable-06.patch $ NOTE: These patches unconditionally deny access by all guests (including control domains) to various hardware features in order to close the vulnerability. Specifically guests are prevented from accessing: * coprocessors 0..9, 12 and 13; * coprocessor 14 (trace registers); * coprocessor 15 encodings: CRn==c9, opc1=={0-7}, CRm=={c0-c2, c5-c8}, opc2=={0-7}, CRn==c10, opc1=={0-7}, CRm=={c0, c1, c4, c8}, opc2=={0-7} CRn==c11, opc1=={0-7}, CRm=={c0-c8, c15}, opc2=={0-7} (IMPLEMENTATION DEFINED cache, TCM, branch predictor, memory remapping, and TLB control registers); * cp15 c15 (IMPLEMENTATION DEFINED); * Debug and Performance monitor registers. We have checked common Operating Systems which are known to run on Xen on ARM and not found any default uses of these registers. However it is expected that tools such as the Linux perf tool which make use of debug and performance registers will no longer function correctly in guest context. In addition if your use case requires access to specific coprocessors by one or more guest domains then additional local patches may be required to enable this. Where feasible we hope to reenable these use cases in the future. If this affects you then please contact the xen-devel mailing list http://lists.xen.org/mailman/listinfo/xen-devel. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTVoUqAAoJEIP+FMlX6CvZCDYH/i7QijGjgd4TtHPoJKkwKZhk P2Kztlo+EDm90UeAPy6BtsPIhHH8bI5yBCdbV/T8p32uRHv9GMyGCsIN+Qt0q7wO VgRvBGvr3Gpc/UvpsMQTNCFcy2BG6glI27icz9Ck8Uolan+Lc8cMDYTzy02XzTgV MN4hoBw51Mc/EVAyy0QSTF8nOpBMnzva7peDVOcVv90y3H0UNPQT+JKkw7r53jyJ SNXxiVnNN/mYhi7aD2UhX8zx01I/WsIhXt2tcW2q5pjTS+xoqW3Q2BB2nw7BOWPq 3I3AaZZ7jxt1AwL2T1LJBu6fVL6Qa1Bsr+q6QkCOfmP71v6ERq/Zuf0QavJTiL8=qtaJ -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users