-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2023-34327,CVE-2023-34328 / XSA-444 version 3 x86/AMD: Debug Mask handling UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. IMPACT ====== For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for it's own purposes can cause incorrect behaviour in an unrelated HVM vCPU, most likely resulting in a guest crash. For CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the host. VULNERABLE SYSTEMS ================== Only AMD/Hygon hardware supporting the DBEXT feature are vulnerable. This is believed to be the Steamroller microarchitecture and later. For CVE-2023-34327, Xen versions 4.5 and later are vulnerable. For CVE-2023-34328, Xen version between 4.5 and 4.13 are vulnerable. The issue is benign in Xen 4.14 and later owing to an unrelated change. MITIGATION ========== For CVE-2023-34327, HVM VMs which can see the DBEXT feature are not susceptible to running in the wrong state. By default, VMs will see the DBEXT feature on capable hardware, and when not explicitly levelled for migration compatibility. For CVE-2023-34328, PV VMs which cannot see the DBEXT feature cannot leverage the vulnerability. CREDITS ======= This issue was discovered by Andrew Cooper of XenServer. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa444-?.patch xen-unstable xsa444-4.17-?.patch Xen 4.17.x xsa444-4.16-?.patch Xen 4.16.x - Xen 4.15.x $ sha256sum xsa444* d1a10243d08295ffed2721aaa150efad9e9bd624428f0c24d04e69435a8ddc2e xsa444-1.patch 9ce44c08030780c2e0432169ce679da0a5793ee254e38a0dbe506edf5f1587fd xsa444-2.patch ff0142be5b71679df0f425ea8f74e77589db5b5312e631541d2ab7968b9ea779 xsa444-4.16-1.patch 4ecf44680bd95fb4adddb1c5ced21e8b2754bca2f5cf3e028cf6ea3d9a90d239 xsa444-4.16-2.patch 9c1244f06c2cd0ad4c2023d224363d5d4ad063d80f8682ee66056520cabfb52d xsa444-4.17-1.patch 18dcbb62b5c5f1fba205cfbc83f3b4b1ffa39490bbfd1f1263320f8aef16e83c xsa444-4.17-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUlNO0MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZoGcH+gMuZqrzWTDFKflh1MO9EPI5iQzyJgQEHicacoBP rO6gAUMQ2OvgqM1CO6e7qZ7qU+CPP2dfp1aR+Zxz0ynzeku2cVJY1SiAhZ+ZODso pBZg/3DKtX0kGP27nStInbZQu2TGfTUQLJ80sYxb3A7Fl8uGWmlCFuZoYGK7R9+P KU2sutmFJJipQVoQm38AQmTed1f+xjtX3AGwWFNGnuHkAC9pQGCQ29YL7wqhtvjw FndF1aLLVCX5Wt6LIK6K5z8DncfrDTwXDha3XMbFmY37HGOOa96jTPJhThmnYEU1 SWc43m9HnCiP/DdBeQ9t2JmVVkx8Qc5kZQigFdpQ0aR/wj8= =n97C -----END PGP SIGNATURE-----