-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-1917 / XSA-44
version 2
Xen PV DoS vulnerability with SYSENTER
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The SYSENTER instruction can be used by PV guests to accelerate system
call processing. This instruction, however, leaves the EFLAGS register
mostly unmodified - in particular, the NT flag doesn't get cleared. If
the hypervisor subsequently uses IRET to return to the guest (which it
will always do if the guest is a 32-bit one), that instruction will
cause a #GP fault to be raised, but the recovery code in the
hypervisor will again try to use IRET without intermediately clearing
the NT flag. The #GP fault raised on this second IRET is a fatal
event, causing the hypervisor to crash.
IMPACT
======
Malicious or buggy unprivileged user space can cause the entire host to crash.
VULNERABLE SYSTEMS
==================
All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are
vulnerable. 32-bit Xen is not affected, as it doesn't permit the use
of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected
since AMD CPUs don't allow the use of SYSENTER in long mode.
The vulnerability is only exposed by PV guests.
MITIGATION
==========
Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD
CPUs will avoid this vulnerability.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa44-4.1.patch Xen 4.1.x
xsa44-4.2.patch Xen 4.2.x
xsa44-unstable.patch xen-unstable
$ sha256sum xsa44*.patch
3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 xsa44-4.1.patch
c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch
0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 xsa44-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRb/ZcAAoJEIP+FMlX6CvZCwMH/iTJCG4P9d+0nADT6YB3JmPl
e9eO+cE+rGHBy5pdKAh1UF1JG9VvQe76hlJP3YS0QaXMNtN6k2dxoHZEj1hpSzKJ
Q+KfS/R9yvVlputbfsVPSYYTl1bzDzMlWqyy/cZUZZVpGkMhVw1dLjJp4NvohCWb
OABvchlbY1tW2Vk4tNWy4vhVGHdzxegrtttEuAIBoXHtCIIeH3/0nwqokahfKzog
cKr5+y9K0JgbFSGP25POu/e7s9+sUKjJfUsFVw3+HknBW+zgJZ8fcu+/J0eJlgb5
0tkq749p+DtRE+kqS4sSM71+iGmnpWh+a0lsBmhARa6pyKVN+ccMvzvh809ItQg=
=w315
-----END PGP SIGNATURE-----
Hash: SHA1
Xen Security Advisory CVE-2013-1917 / XSA-44
version 2
Xen PV DoS vulnerability with SYSENTER
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
The SYSENTER instruction can be used by PV guests to accelerate system
call processing. This instruction, however, leaves the EFLAGS register
mostly unmodified - in particular, the NT flag doesn't get cleared. If
the hypervisor subsequently uses IRET to return to the guest (which it
will always do if the guest is a 32-bit one), that instruction will
cause a #GP fault to be raised, but the recovery code in the
hypervisor will again try to use IRET without intermediately clearing
the NT flag. The #GP fault raised on this second IRET is a fatal
event, causing the hypervisor to crash.
IMPACT
======
Malicious or buggy unprivileged user space can cause the entire host to crash.
VULNERABLE SYSTEMS
==================
All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are
vulnerable. 32-bit Xen is not affected, as it doesn't permit the use
of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected
since AMD CPUs don't allow the use of SYSENTER in long mode.
The vulnerability is only exposed by PV guests.
MITIGATION
==========
Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD
CPUs will avoid this vulnerability.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa44-4.1.patch Xen 4.1.x
xsa44-4.2.patch Xen 4.2.x
xsa44-unstable.patch xen-unstable
$ sha256sum xsa44*.patch
3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783 xsa44-4.1.patch
c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49 xsa44-4.2.patch
0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36 xsa44-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRb/ZcAAoJEIP+FMlX6CvZCwMH/iTJCG4P9d+0nADT6YB3JmPl
e9eO+cE+rGHBy5pdKAh1UF1JG9VvQe76hlJP3YS0QaXMNtN6k2dxoHZEj1hpSzKJ
Q+KfS/R9yvVlputbfsVPSYYTl1bzDzMlWqyy/cZUZZVpGkMhVw1dLjJp4NvohCWb
OABvchlbY1tW2Vk4tNWy4vhVGHdzxegrtttEuAIBoXHtCIIeH3/0nwqokahfKzog
cKr5+y9K0JgbFSGP25POu/e7s9+sUKjJfUsFVw3+HknBW+zgJZ8fcu+/J0eJlgb5
0tkq749p+DtRE+kqS4sSM71+iGmnpWh+a0lsBmhARa6pyKVN+ccMvzvh809ItQg=
=w315
-----END PGP SIGNATURE-----
Attached Files:
-
xsa44-4.1.patch (2.78 KB)
-
xsa44-4.2.patch (2.78 KB)
-
xsa44-unstable.patch (1.63 KB)