|Public release ||2013-04-18 12:00|
|Updated ||2013-04-18 13:50|
|Title ||Xen PV DoS vulnerability with SYSENTER|
Filesadvisory-44.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2013-1917 / XSA-44
Xen PV DoS vulnerability with SYSENTER
UPDATES IN VERSION 3
Backported patch for 4.0 now available.
The SYSENTER instruction can be used by PV guests to accelerate system
call processing. This instruction, however, leaves the EFLAGS register
mostly unmodified - in particular, the NT flag doesn't get cleared. If
the hypervisor subsequently uses IRET to return to the guest (which it
will always do if the guest is a 32-bit one), that instruction will
cause a #GP fault to be raised, but the recovery code in the
hypervisor will again try to use IRET without intermediately clearing
the NT flag. The #GP fault raised on this second IRET is a fatal
event, causing the hypervisor to crash.
Malicious or buggy unprivileged user space can cause the entire host to crash.
All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are
vulnerable. 32-bit Xen is not affected, as it doesn't permit the use
of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected
since AMD CPUs don't allow the use of SYSENTER in long mode.
The vulnerability is only exposed by PV guests.
Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD
CPUs will avoid this vulnerability.
Applying the appropriate attached patch resolves this issue.
xsa44-4.0.patch Xen 4.0.x
xsa44-4.1.patch Xen 4.1.x
xsa44-4.2.patch Xen 4.2.x
$ sha256sum xsa44*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team