|Public release ||2013-06-03 12:00|
|Updated ||2013-06-03 16:18|
|Title ||Information leak on XSAVE/XRSTOR capable AMD CPUs|
Filesadvisory-52.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2013-2076 / XSA-52
Information leak on XSAVE/XRSTOR capable AMD CPUs
UPDATES IN VERSION 3
On AMD processors supporting XSAVE/XRSTOR (family 15h and up), when an
exception is pending, these instructions save/restore only the FOP,
FIP, and FDP x87 registers in FXSAVE/FXRSTOR. This allows one domain
to determine portions of the state of floating point instructions of
NOTE: This is the documented behavior of AMD64 processors, but it is
inconsistent with Intel processors in a security-relevant fashion that
was not addressed by the original implementation of XSAVE support on
This vulnerability is similar to CVE-2006-1056, concerning
FXSAVE/FXRSTOR on AMD processors.
A malicious domain may be able to leverage this to obtain sensitive
information such as cryptographic keys from another domain.
Xen 4.0 and onwards are vulnerable when run on systems with AMD
processors supporting XSAVE. Any kind of guest can exploit the
In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the "xsave"
hypervisor command line option.
Systems not using AMD processors, or using AMD processors not
supporting XSAVE (i.e. families prior to 15h), are not vulnerable.
Xen 3.x and earlier are not vulnerable.
Turning off XSAVE support via the "no-xsave" hypervisor command line
option will avoid the vulnerability.
Applying the attached patch resolves this issue.
xsa52-4.1.patch Xen 4.1.x
xsa52-4.2-unstable.patch Xen 4.2.x, xen-unstable
$ sha256sum xsa52-*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team