Information

Advisory XSA-161
Public release 2015-11-25 15:29
Updated 2015-11-25 15:29
Version 2
CVE(s) none (yet) assigned
Title WITHDRAWN: missing XSETBV intercept privilege check on AMD SVM

Files

advisory-161.txt (signed advisory file)
xsa161.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-161
                              version 2

    WITHDRAWN: missing XSETBV intercept privilege check on AMD SVM

UPDATES IN VERSION 2
====================

Upon further inspection the necessary privilege level check is present
in the generic code which handles XSETBV and therefore there is no
vulnerability in any version of Xen.

This advisory is therefore withdrawn. The previous text is retained
below for reference.

Thanks to Andrew Cooper for pointing out this oversight.

ISSUE DESCRIPTION
=================

*** NOTE: This advisory has been withdrawn ***

XSETBV is a privileged instruction, i.e. should result in #GP when
issued by code running at other than the most privileged level (CPL 0).
Unlike other privileged and intercepted instructions in AMD SVM, XSETBV
has the privilege level check done after the intercept check, resulting
in the need for software to do the checking instead. This software
check was missing.

IMPACT
======

*** NOTE: This advisory has been withdrawn ***

User mode code of HVM guests running on AVX-capable AMD hardware may
effect changes to the set of enabled AVX sub-features in the guest,
potentially confusing the guest kernel, likely resulting in crash and
hence a Denial of Service to the guest. Other attacks, namely privilege
escalation (again inside the guest only), cannot be ruled out.

VULNERABLE SYSTEMS
==================

*** NOTE: This advisory has been withdrawn, no versions are vulnerable ***

Xen versions from 4.1 onwards are affected.

Only x86 AMD systems supporting AVX are affected. Intel systems as
well as ARM ones are unaffected.

Only HVM guest user mode code can leverage this vulnerability.

MITIGATION
==========

Running only PV guests will avoid this vulnerability.

Running HVM guests on only Intel hardware will also avoid this
vulnerability.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa161.patch         xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x

$ sha256sum xsa161*
aa205960410c2feaa2a45127a1837a64212dd322d8edf884aa3231dd10c8a884  xsa161.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWVdPmAAoJEIP+FMlX6CvZ6IgH/RNKOBcIYc2BTxacwhIh/9Uj
lxXT1XfR3xksFzsW1T7rp6OAYQ1Lpsh+yAQLF8qAEEE+jUi7TWTb1U87K6tS9yYp
ppqwWfp6YS63uhtTu0SiMdvM0hOHTHC2ZfNehpX/iAtzpsdzqcYeWkIjjMBq6z95
isxXnuJq1EmfaI+Sx56c8yRntJwAqDx4twD7gJWC1feRltJn+kSR+pyGpcw4IeM3
ThfgW5Q1s2N4IX/yHlvPGhWDjBwfCP13de23UvUQwiSzLF6m42OnDtSLozvA/h56
yA7JDi/RYDsyL30qYllHKpW8lfrlsq6Xkyakrkw49sm1cJvaYu4vjLDZ9byVvmU=
=wPwa
-----END PGP SIGNATURE-----

Xenproject.org Security Team