Information

Advisory XSA-54
Public release 2013-06-03 12:00
Updated 2014-06-03 12:23
Version 4
CVE(s) CVE-2013-2078
Title Hypervisor crash due to missing exception recovery on XSETBV

Files

advisory-54.txt (signed advisory file)
xsa54.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2013-2078 / XSA-54
                            version 4

       Hypervisor crash due to missing exception recovery on XSETBV

UPDATES IN VERSION 4
====================

Reduce vulnerable range of versions to 4.1 and onwards.

ISSUE DESCRIPTION
=================

Processors do certain validity checks on the register values passed to
XSETBV.  For the PV emulation path for that instruction the hypervisor
code didn't check for certain invalid bit combinations, thus exposing
itself to a fault occurring when invoking that instruction on behalf
of the guest.

IMPACT
======

Malicious or buggy unprivileged user space can cause the entire host
to crash.

VULNERABLE SYSTEMS
==================

Xen 4.1 and onwards are vulnerable when run on systems with processors
supporting XSAVE.  Only PV guests can exploit the vulnerability.

In Xen 4.1 XSAVE support is disabled by default; therefore systems
running these versions are not vulnerable unless support is explicitly
enabled using the "xsave" hypervisor command line option.

Systems using processors not supporting XSAVE are not vulnerable.

Xen 3.x and earlier are not vulnerable. In particular, Xen 4.0.x is not
vulnerable because XSAVE support there covers only HVM guests.

MITIGATION
==========

Turning off XSAVE support via the "no-xsave" hypervisor command line
option will avoid the vulnerability.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa54.patch                 Xen 4.1.x, Xen 4.2.x, xen-unstable

$ sha256sum xsa54-*.patch
5d94946b3c9cba52aae2bffd4b0ebb11d09181650b5322a3c85170674a05f6b7  xsa54.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTjb4yAAoJEIP+FMlX6CvZTvcIAJW1kkoJDpYy3m2CUFux5FeN
rft9S+iPrh45/B67VuHOnaEfpcBQ/71+jKEjJQ8kJdJnWmP6i+kAuoVKma/PkY9x
VkeNM//9gM1UKp581p0yQp61Yw46hiREWDkue+VsnMIl88w/EV2Yv5R2LQaPMinZ
TM08EdK/lgERYQ2LSdkc55kE/jHoenBMBYjnCJPBYJY1jPdgJo488ZTpol/opqaM
o99/ziUPfa30KXHFtgq1iQs7qu+boMEv/QfRSC3xQS1tTSaXqnuPVDlz6tXBkrW9
AI5Mx1cJMSrd02KBMsaZvjQVaDjVO3L1svfEXvjeUmbGuE+hx0jvglblS6+i2Z4=
=SnXC
-----END PGP SIGNATURE-----

Xenproject.org Security Team