Information

AdvisoryXSA-53
Public release 2013-06-03 12:00
Updated 2013-06-03 16:18
Version 3
CVE(s) CVE-2013-2077
Title Hypervisor crash due to missing exception recovery on XRSTOR

Files

advisory-53.txt (signed advisory file)
xsa53-4.1.patch
xsa53-4.2.patch
xsa53-unstable.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2013-2077 / XSA-53
                            version 3

       Hypervisor crash due to missing exception recovery on XRSTOR

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Processors do certain validity checks on the data passed to XRSTOR.
While the hypervisor controls the placement of that memory block, it
doesn't restrict the contents in any way.  Thus the hypervisor exposes
itself to a fault occurring on XRSTOR.  Other than for FXRSTOR, which
behaves similarly, there was no exception recovery code attached to
XRSTOR.

IMPACT
======

Malicious or buggy unprivileged user space can cause the entire host
to crash.

VULNERABLE SYSTEMS
==================

Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting XSAVE.  Only PV guests can exploit the vulnerability; for
HVM guests only the control tools have access to the respective
hypervisor functions.

In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the "xsave"
hypervisor command line option.

Systems using processors not supporting XSAVE are not vulnerable.

Xen 3.x and earlier are not vulnerable.

MITIGATION
==========

Turning off XSAVE support via the "no-xsave" hypervisor command line
option will avoid the vulnerability.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa53-4.1.patch             Xen 4.1.x
xsa53-4.2.patch             Xen 4.2.x
xsa53-unstable.patch        xen-unstable

$ sha256sum xsa53-*.patch
2deedb983ef6ffb24375e5ae33fd271e4fb94f938be143919310daf1163de182  xsa53-4.1.patch
785f7612bd229f7501f4e98e4760f307d90c64305ee14707d262b77f05fa683d  xsa53-4.2.patch
b9804e081afbc5e7308176841d0249e1f934f75e7fcc8f937bad6b95eb6944a5  xsa53-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRrMHGAAoJEIP+FMlX6CvZFiwH/3LXdHi2TC8c5HP1CCmn9jw2
G44ZmfFYsEi8/SuEYnr7O4EE6lR/bU6FPu9u1Qal9KjfjkbmnGSmrJS2YTOnF42F
UNKb1AlB/FbEay+5JZguqFKNkNKi2/u1GmyCLGrd01edf0c2emMvSLovR1yGo8RY
u0KFpyRAMFt/OALIswQPblCYNkfEgOlAjTYAd4l06m47xRNEVeVbOQ93p0bbwnsT
wkHbv+TIx6iwip0T0wWwms/tgZFvhpDa9VCgJ0I5QAQcyVYewwXjbC0UAvgQ5I/H
p4CRyI3JP8FoblEk9sxtzscxLTw+cz14omNPal16wk7C6qZ7oYs8XKAoIuWMN5A=
=mnra
-----END PGP SIGNATURE-----


Xenproject.org Security Team