|Public release ||2015-11-24 17:12|
|Updated ||2015-11-24 17:12|
|CVE(s) ||none (yet) assigned|
|Title ||virtual PMU is unsupported|
Filesadvisory-163.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory XSA-163
virtual PMU is unsupported
The Virtual Performance Measurement Unit feature has been documented
as unsupported, so far only on Intel CPUs. Further issues have been
found or are suspected which would also (or exclusively) affect AMD
CPUs. We believe that the functionality is mostly intended for
non-production use anyway. Therefore this functionality is hereby
documented as generally unsupported security-wise.
Use of the feature may have unknown effects, ranging from information
leaks through Denial of Service to privilege escalation.
Only systems which enable the VPMU feature are affected. That is,
only systems with a `vpmu' setting on the hypervisor command line.
Xen versions from 3.3 onwards are affected.
Only x86 systems are affected. ARM systems do not currently implement
vPMU and are therefore currently unaffected; should this functionality
be added to ARM in the future it would be covered by this exclusion.
In Xen versions prior to 4.6 only HVM guests can take advantage of
this unsupported functionality. In Xen versions from 4.6 onwards all
guest kinds can use this unsupported functionality.
Not enabling vPMU support (by omitting the "vpmu" hypervisor command
line option) will avoid using and exposing the unsupported
Applying the attached patch documents the situation. The patch does
not fix any security issues.
$ sha256sum xsa163*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team