-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-161 version 2 WITHDRAWN: missing XSETBV intercept privilege check on AMD SVM UPDATES IN VERSION 2 ==================== Upon further inspection the necessary privilege level check is present in the generic code which handles XSETBV and therefore there is no vulnerability in any version of Xen. This advisory is therefore withdrawn. The previous text is retained below for reference. Thanks to Andrew Cooper for pointing out this oversight. ISSUE DESCRIPTION ================= *** NOTE: This advisory has been withdrawn *** XSETBV is a privileged instruction, i.e. should result in #GP when issued by code running at other than the most privileged level (CPL 0). Unlike other privileged and intercepted instructions in AMD SVM, XSETBV has the privilege level check done after the intercept check, resulting in the need for software to do the checking instead. This software check was missing. IMPACT ====== *** NOTE: This advisory has been withdrawn *** User mode code of HVM guests running on AVX-capable AMD hardware may effect changes to the set of enabled AVX sub-features in the guest, potentially confusing the guest kernel, likely resulting in crash and hence a Denial of Service to the guest. Other attacks, namely privilege escalation (again inside the guest only), cannot be ruled out. VULNERABLE SYSTEMS ================== *** NOTE: This advisory has been withdrawn, no versions are vulnerable *** Xen versions from 4.1 onwards are affected. Only x86 AMD systems supporting AVX are affected. Intel systems as well as ARM ones are unaffected. Only HVM guest user mode code can leverage this vulnerability. MITIGATION ========== Running only PV guests will avoid this vulnerability. Running HVM guests on only Intel hardware will also avoid this vulnerability. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa161.patch xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x $ sha256sum xsa161* aa205960410c2feaa2a45127a1837a64212dd322d8edf884aa3231dd10c8a884 xsa161.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWVdPmAAoJEIP+FMlX6CvZ6IgH/RNKOBcIYc2BTxacwhIh/9Uj lxXT1XfR3xksFzsW1T7rp6OAYQ1Lpsh+yAQLF8qAEEE+jUi7TWTb1U87K6tS9yYp ppqwWfp6YS63uhtTu0SiMdvM0hOHTHC2ZfNehpX/iAtzpsdzqcYeWkIjjMBq6z95 isxXnuJq1EmfaI+Sx56c8yRntJwAqDx4twD7gJWC1feRltJn+kSR+pyGpcw4IeM3 ThfgW5Q1s2N4IX/yHlvPGhWDjBwfCP13de23UvUQwiSzLF6m42OnDtSLozvA/h56 yA7JDi/RYDsyL30qYllHKpW8lfrlsq6Xkyakrkw49sm1cJvaYu4vjLDZ9byVvmU= =wPwa -----END PGP SIGNATURE-----