[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xen Security Advisory 44 (CVE-2013-1917) - Xen PV DoS vulnerability with SYSENTER



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1917 / XSA-44
                              version 2

                Xen PV DoS vulnerability with SYSENTER

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

The SYSENTER instruction can be used by PV guests to accelerate system
call processing. This instruction, however, leaves the EFLAGS register
mostly unmodified - in particular, the NT flag doesn't get cleared. If
the hypervisor subsequently uses IRET to return to the guest (which it
will always do if the guest is a 32-bit one), that instruction will
cause a #GP fault to be raised, but the recovery code in the
hypervisor will again try to use IRET without intermediately clearing
the NT flag. The #GP fault raised on this second IRET is a fatal
event, causing the hypervisor to crash.

IMPACT
======

Malicious or buggy unprivileged user space can cause the entire host to crash.

VULNERABLE SYSTEMS
==================

All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are
vulnerable.  32-bit Xen is not affected, as it doesn't permit the use
of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected
since AMD CPUs don't allow the use of SYSENTER in long mode.

The vulnerability is only exposed by PV guests.

MITIGATION
==========

Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD
CPUs will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa44-4.1.patch             Xen 4.1.x
xsa44-4.2.patch             Xen 4.2.x
xsa44-unstable.patch        xen-unstable

$ sha256sum xsa44*.patch
3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783  
xsa44-4.1.patch
c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49  
xsa44-4.2.patch
0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36  
xsa44-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRb/ZcAAoJEIP+FMlX6CvZCwMH/iTJCG4P9d+0nADT6YB3JmPl
e9eO+cE+rGHBy5pdKAh1UF1JG9VvQe76hlJP3YS0QaXMNtN6k2dxoHZEj1hpSzKJ
Q+KfS/R9yvVlputbfsVPSYYTl1bzDzMlWqyy/cZUZZVpGkMhVw1dLjJp4NvohCWb
OABvchlbY1tW2Vk4tNWy4vhVGHdzxegrtttEuAIBoXHtCIIeH3/0nwqokahfKzog
cKr5+y9K0JgbFSGP25POu/e7s9+sUKjJfUsFVw3+HknBW+zgJZ8fcu+/J0eJlgb5
0tkq749p+DtRE+kqS4sSM71+iGmnpWh+a0lsBmhARa6pyKVN+ccMvzvh809ItQg=
=w315
-----END PGP SIGNATURE-----

Attachment: xsa44-4.1.patch
Description: Binary data

Attachment: xsa44-4.2.patch
Description: Binary data

Attachment: xsa44-unstable.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.