Date: Wed, 13 Jun 2018 21:01:02 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 267 (CVE-2018-3665) - Speculative register leakage from lazy FPU context switching -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2018-3665 / XSA-267 version 3 Speculative register leakage from lazy FPU context switching UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= x86 has a hardware mechanism for lazy FPU context switching. On a task switch, %cr0.ts (Task Switched) gets set, and the next instruction to touch floating point state raises an #NM (No Math, later known as Device Not Available) exception. Traditionally, FPU state has been large in comparison to available bandwidth (and therefore slow to switch) and not used as frequently as cpu tasks tend to switch. This mechanism allows the OS to only switch FPU when necessary, which in turn increases performance. Some CPUs however speculate past an #NM exception, allowing register content to be leaked by a side-channel. For more details, see: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html IMPACT ====== An attacker can read x87/MMX/SSE/AVX/AVX-512 register state belonging to another vCPU previously scheduled on the same processor. This can be state belonging a different guest, or state belonging to a different thread inside the same guest. Furthermore, similar changes are expected for OS kernels. Consult your operating system provider for more information. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. Only x86 processors are vulnerable. ARM processors are not known to be affected. Only Intel Core based processors (from at least Nehalem onwards) are potentially affected. Other processor designs (Intel Atom/Knights range), and other manufacturers (AMD) are not known to be affected. MITIGATION ========== Depending on the availability of host resources, leakage can be prevented between VMs by using cpupools or cpu pinning to isolate the vCPUs from different VMs to separate pCPUs. CREDITS ======= This issue was discovered by Julian Stecklina (jsteckli@...zon.de) from Amazon and Thomas Prescher (thomas.prescher@...erus-technology.de) from Cyberus Technology. It was also independenty discovered by Zdenek Sojka from SYSGO (http://sysgo.com) and by Colin Percival. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa267-.patch xen-unstable xsa267-4.10-.patch Xen 4.10.x xsa267-4.9-.patch Xen 4.9.x, 4.8.x xsa267-4.7-.patch Xen 4.7.x xsa267-4.6-.patch Xen 4.6.x Alternatively, the following patches can be used to create livepatches for running hypervisors. xsa267-livepatch.patch xen-unstable, Xen 4.10.x, 4.9.x xsa267-4.8-livepatch.patch Xen 4.8.x $ sha256sum xsa267* d126e57ac6151e661294da9211a9d556845255a9d1909d73ec58a28c81b4a79d xsa267-1.patch 00ec30c3738c3fcac8ca24a03308fc2d2dacab78640c17e5bb078e474b263719 xsa267-2.patch 9172c51e3652498740aa54c7953fb70c6df3902b382a9e9fa25a82943f70849d xsa267-4.6-1.patch 8579fa847aea19b3666db39c9c844c32b543e5504f49074e48600c4958fa9eba xsa267-4.6-2.patch 0fb7c123947a95963537ddeb156718d93a3d04b42486009fc520eaaeeba8aad6 xsa267-4.7-1.patch 418a71f8fc5b3ff1a5eb5cf4d161dea9c88697b50d84d8b8eec1ecf594f798f1 xsa267-4.7-2.patch 488f769e19acfe4ca59c731f58c5d464ec694e3c1923fbb3a26e6ed85afa68f8 xsa267-4.8-livepatch.patch b4d1712b48c71ca541b6a39c182c3a134ff4d36cbf52ef6d65444ce84729c4b3 xsa267-4.9-1.patch 5ab13ae9ea070b2eee6ecf31324518f8315b7c0e523295d7892e5263fccb9d1f xsa267-4.9-2.patch 9703a2e661f67408a108b540d296439cd349027a322b2e360780319897386753 xsa267-4.10-1.patch d30dcb4887cb1963b460f850f34f0cd179704a2cdc8cdaf72bd16e495a0d63f1 xsa267-4.10-2.patch 7832229d987ac9b7292eb815d54b78e9884b892795d9ac3f11f0752f6c59d312 xsa267-livepatch.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJbIX1aAAoJEIP+FMlX6CvZiA4H/iwQn5aa+9+iE6wVNhfI3XX4 YvogEPGW4Zp3Brq5ATDoyanIdabWU+5Tq4MtAyR3IyaFrnoevLFfumKIQjnqI3sk ef4PuxEYtVyiqwC+01o0Uk1+1K83xA4dG2wukuJbOtEF44d4X5fq9RWqdLprBADx FW7MrFeXcoQsbbRLfZzUZpjtQQ1Lys8gHbU+Un9l9yZjRUErxUFLhhsrpIwkYFF9 6zhlYGPdpZQ1s7W6OclD/Tm5ZpauggjJfLWSAckAuobNaR6bKh6iwr3AMWH0w+2w H7U2oKHQPw3kpiEz42cEEN9FDm/9mGNgNYkC+aPtn40zYuKhyBnORBMgssmA0Tk= =By/q -----END PGP SIGNATURE----- Download attachment "xsa267-1.patch" of type "application/octet-stream" (2160 bytes) Download attachment "xsa267-2.patch" of type "application/octet-stream" (8244 bytes) Download attachment "xsa267-4.6-1.patch" of type "application/octet-stream" (1942 bytes) Download attachment "xsa267-4.6-2.patch" of type "application/octet-stream" (8230 bytes) Download attachment "xsa267-4.7-1.patch" of type "application/octet-stream" (2214 bytes) Download attachment "xsa267-4.7-2.patch" of type "application/octet-stream" (8215 bytes) Download attachment "xsa267-4.8-livepatch.patch" of type "application/octet-stream" (4393 bytes) Download attachment "xsa267-4.9-1.patch" of type "application/octet-stream" (2180 bytes) Download attachment "xsa267-4.9-2.patch" of type "application/octet-stream" (8232 bytes) Download attachment "xsa267-4.10-1.patch" of type "application/octet-stream" (2212 bytes) Download attachment "xsa267-4.10-2.patch" of type "application/octet-stream" (8244 bytes) Download attachment "xsa267-livepatch.patch" of type "application/octet-stream" (4371 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.