|Public release ||2016-02-17 12:00|
|Updated ||2016-02-17 12:25|
|Title ||VMX: guest user mode may crash guest with non-canonical RIP|
Filesadvisory-170.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2016-2271 / XSA-170
VMX: guest user mode may crash guest with non-canonical RIP
UPDATES IN VERSION 3
VMX refuses attempts to enter a guest with an instruction pointer which
doesn't satisfy certain requirements. In particular, the instruction
pointer needs to be canonical when entering a guest currently in 64-bit
mode. This is the case even if the VM entry information specifies an
exception to be injected immediately (in which case the bad instruction
pointer would possibly never get used for other than pushing onto the
exception handler's stack). Provided the guest OS allows user mode to
map the virtual memory space immediately below the canonical/non-
canonical address boundary, a non-canonical instruction pointer can
result even from normal user mode execution. VM entry failure, however,
is fatal to the guest.
Malicious HVM guest user mode code may be able to crash the guest.
All Xen versions are affected.
Only systems using Intel or Cyrix CPUs are affected. ARM and AMD
systems are unaffected.
Only HVM guests are affected.
Running only PV guests will avoid this vulnerability.
Running HVM guests on only AMD hardware will also avoid this
This issue was discovered by Ling Liu of Qihoo 360 Inc.
Applying the appropriate attached patch works around this issue. Note
that it does so in a way which isn't architecturally correct, but no
better solution has been found (nor suggested by Intel).
xsa170.patch xen-unstable, Xen 4.6.x
xsa170-4.5.patch Xen 4.5.x, Xen 4.4.x
xsa170-4.3.patch Xen 4.3.x
$ sha256sum xsa170*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team