|Public release ||2013-06-03 12:00|
|Updated ||2013-06-03 16:18|
|Title ||Hypervisor crash due to missing exception recovery on XRSTOR|
Filesadvisory-53.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2013-2077 / XSA-53
Hypervisor crash due to missing exception recovery on XRSTOR
UPDATES IN VERSION 3
Processors do certain validity checks on the data passed to XRSTOR.
While the hypervisor controls the placement of that memory block, it
doesn't restrict the contents in any way. Thus the hypervisor exposes
itself to a fault occurring on XRSTOR. Other than for FXRSTOR, which
behaves similarly, there was no exception recovery code attached to
Malicious or buggy unprivileged user space can cause the entire host
Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting XSAVE. Only PV guests can exploit the vulnerability; for
HVM guests only the control tools have access to the respective
In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the "xsave"
hypervisor command line option.
Systems using processors not supporting XSAVE are not vulnerable.
Xen 3.x and earlier are not vulnerable.
Turning off XSAVE support via the "no-xsave" hypervisor command line
option will avoid the vulnerability.
Applying the attached patch resolves this issue.
xsa53-4.1.patch Xen 4.1.x
xsa53-4.2.patch Xen 4.2.x
$ sha256sum xsa53-*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team