Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 03 Jun 2013 16:38:32 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 53 (CVE-2013-2077) - Hypervisor crash due
 to missing exception recovery on XRSTOR

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2013-2077 / XSA-53
                            version 3

       Hypervisor crash due to missing exception recovery on XRSTOR

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Processors do certain validity checks on the data passed to XRSTOR.
While the hypervisor controls the placement of that memory block, it
doesn't restrict the contents in any way.  Thus the hypervisor exposes
itself to a fault occurring on XRSTOR.  Other than for FXRSTOR, which
behaves similarly, there was no exception recovery code attached to
XRSTOR.

IMPACT
======

Malicious or buggy unprivileged user space can cause the entire host
to crash.

VULNERABLE SYSTEMS
==================

Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting XSAVE.  Only PV guests can exploit the vulnerability; for
HVM guests only the control tools have access to the respective
hypervisor functions.

In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the "xsave"
hypervisor command line option.

Systems using processors not supporting XSAVE are not vulnerable.

Xen 3.x and earlier are not vulnerable.

MITIGATION
==========

Turning off XSAVE support via the "no-xsave" hypervisor command line
option will avoid the vulnerability.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa53-4.1.patch             Xen 4.1.x
xsa53-4.2.patch             Xen 4.2.x
xsa53-unstable.patch        xen-unstable

$ sha256sum xsa53-*.patch
2deedb983ef6ffb24375e5ae33fd271e4fb94f938be143919310daf1163de182  xsa53-4.1.patch
785f7612bd229f7501f4e98e4760f307d90c64305ee14707d262b77f05fa683d  xsa53-4.2.patch
b9804e081afbc5e7308176841d0249e1f934f75e7fcc8f937bad6b95eb6944a5  xsa53-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRrMHGAAoJEIP+FMlX6CvZFiwH/3LXdHi2TC8c5HP1CCmn9jw2
G44ZmfFYsEi8/SuEYnr7O4EE6lR/bU6FPu9u1Qal9KjfjkbmnGSmrJS2YTOnF42F
UNKb1AlB/FbEay+5JZguqFKNkNKi2/u1GmyCLGrd01edf0c2emMvSLovR1yGo8RY
u0KFpyRAMFt/OALIswQPblCYNkfEgOlAjTYAd4l06m47xRNEVeVbOQ93p0bbwnsT
wkHbv+TIx6iwip0T0wWwms/tgZFvhpDa9VCgJ0I5QAQcyVYewwXjbC0UAvgQ5I/H
p4CRyI3JP8FoblEk9sxtzscxLTw+cz14omNPal16wk7C6qZ7oYs8XKAoIuWMN5A=
=mnra
-----END PGP SIGNATURE-----

Download attachment "xsa53-4.1.patch" of type "application/octet-stream" (2179 bytes)

Download attachment "xsa53-4.2.patch" of type "application/octet-stream" (2273 bytes)

Download attachment "xsa53-unstable.patch" of type "application/octet-stream" (2328 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.