-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-3665 / XSA-267 version 4 Speculative register leakage from lazy FPU context switching UPDATES IN VERSION 4 ==================== Normalize version tags by ensuring at least two spaces between glob and tag. ISSUE DESCRIPTION ================= x86 has a hardware mechanism for lazy FPU context switching. On a task switch, %cr0.ts (Task Switched) gets set, and the next instruction to touch floating point state raises an #NM (No Math, later known as Device Not Available) exception. Traditionally, FPU state has been large in comparison to available bandwidth (and therefore slow to switch) and not used as frequently as cpu tasks tend to switch. This mechanism allows the OS to only switch FPU when necessary, which in turn increases performance. Some CPUs however speculate past an #NM exception, allowing register content to be leaked by a side-channel. For more details, see: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html IMPACT ====== An attacker can read x87/MMX/SSE/AVX/AVX-512 register state belonging to another vCPU previously scheduled on the same processor. This can be state belonging a different guest, or state belonging to a different thread inside the same guest. Furthermore, similar changes are expected for OS kernels. Consult your operating system provider for more information. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. Only x86 processors are vulnerable. ARM processors are not known to be affected. Only Intel Core based processors (from at least Nehalem onwards) are potentially affected. Other processor designs (Intel Atom/Knights range), and other manufacturers (AMD) are not known to be affected. MITIGATION ========== Depending on the availability of host resources, leakage can be prevented between VMs by using cpupools or cpu pinning to isolate the vCPUs from different VMs to separate pCPUs. CREDITS ======= This issue was discovered by Julian Stecklina (jsteckli@amazon.de) from Amazon and Thomas Prescher (thomas.prescher@cyberus-technology.de) from Cyberus Technology. It was also independenty discovered by Zdenek Sojka from SYSGO (http://sysgo.com) and by Colin Percival. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa267-[12].patch xen-unstable xsa267-4.10-[12].patch Xen 4.10.x xsa267-4.9-[12].patch Xen 4.9.x, 4.8.x xsa267-4.7-[12].patch Xen 4.7.x xsa267-4.6-[12].patch Xen 4.6.x Alternatively, the following patches can be used to create livepatches for running hypervisors. xsa267-livepatch.patch xen-unstable, Xen 4.10.x, 4.9.x xsa267-4.8-livepatch.patch Xen 4.8.x $ sha256sum xsa267* d126e57ac6151e661294da9211a9d556845255a9d1909d73ec58a28c81b4a79d xsa267-1.patch 00ec30c3738c3fcac8ca24a03308fc2d2dacab78640c17e5bb078e474b263719 xsa267-2.patch 9172c51e3652498740aa54c7953fb70c6df3902b382a9e9fa25a82943f70849d xsa267-4.6-1.patch 8579fa847aea19b3666db39c9c844c32b543e5504f49074e48600c4958fa9eba xsa267-4.6-2.patch 0fb7c123947a95963537ddeb156718d93a3d04b42486009fc520eaaeeba8aad6 xsa267-4.7-1.patch 418a71f8fc5b3ff1a5eb5cf4d161dea9c88697b50d84d8b8eec1ecf594f798f1 xsa267-4.7-2.patch 488f769e19acfe4ca59c731f58c5d464ec694e3c1923fbb3a26e6ed85afa68f8 xsa267-4.8-livepatch.patch b4d1712b48c71ca541b6a39c182c3a134ff4d36cbf52ef6d65444ce84729c4b3 xsa267-4.9-1.patch 5ab13ae9ea070b2eee6ecf31324518f8315b7c0e523295d7892e5263fccb9d1f xsa267-4.9-2.patch 9703a2e661f67408a108b540d296439cd349027a322b2e360780319897386753 xsa267-4.10-1.patch d30dcb4887cb1963b460f850f34f0cd179704a2cdc8cdaf72bd16e495a0d63f1 xsa267-4.10-2.patch 7832229d987ac9b7292eb815d54b78e9884b892795d9ac3f11f0752f6c59d312 xsa267-livepatch.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/gMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZI2YIAK70qlPXodYYHKal4j8IjsD4wR09ONdMAXAc5ocs FHNGeIY3BdodBRB59Xj7ee61NhTraFUmvWdb8VJuuEfla7l6K4ZTG1ZCNDGoWHJl qCvD43Hti7R0iY5MJ4qyaKz0Ky7C5MC+CDwVQfyHew+c3B53CndQxL8O+zTskwE9 swz84j8NdNnUvG3RfWx/Xspqt6vktKUYg4tEVKm68qzy1F6RElfdZ2ccyqpv7kiY ffMhOihqsfBMdzXNJGHq48wwrp8VMdw7waW4s4JZEfDt6ES7R5OubqrkXLnUwLr+ vSvyPlpV1YNPhq4xCX01N3yIQv3h+RTPPPuLDP/acm3HF40= =7hc6 -----END PGP SIGNATURE-----