xen CVE-2013-2077 Hypervisor crash due to missing exception recovery on XRSTOR
reference:
http://www.openwall.com/lists/oss-security/2013/06/03/2
ISSUE DESCRIPTION
Processors do certain validity checks on the data passed to XRSTOR.
While the hypervisor controls the placement of that memory block, it
doesn’t restrict the contents in any way. Thus the hypervisor exposes
itself to a fault occurring on XRSTOR. Other than for FXRSTOR, which
behaves similarly, there was no exception recovery code attached to
XRSTOR.
IMPACT
Malicious or buggy unprivileged user space can cause the entire host
to crash.
VULNERABLE SYSTEMS
Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting XSAVE. Only PV guests can exploit the vulnerability; for
HVM guests only the control tools have access to the respective
hypervisor functions.
In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the “xsave”
hypervisor command line option.
Systems using processors not supporting XSAVE are not vulnerable.
Xen 3.x and earlier are not vulnerable.
MITIGATION
Turning off XSAVE support via the “no-xsave” hypervisor command line
option will avoid the vulnerability.
RESOLUTION
Applying the attached patch resolves this issue.
xsa53-4.1.patch Xen 4.1.x
xsa53-4.2.patch Xen 4.2.x
xsa53-unstable.patch xen-unstable
$ sha256sum xsa53-*.patch
2deedb983ef6ffb24375e5ae33fd271e4fb94f938be143919310daf1163de182
xsa53-4.1.patch
785f7612bd229f7501f4e98e4760f307d90c64305ee14707d262b77f05fa683d
xsa53-4.2.patch
b9804e081afbc5e7308176841d0249e1f934f75e7fcc8f937bad6b95eb6944a5
xsa53-unstable.patch
(from redmine: issue id 2049, created on 2013-06-03, closed on 2013-06-06)
- Relations:
- child #2050 (closed)
- child #2051 (closed)
- child #2052 (closed)
- child #2053 (closed)
- Changesets:
- Revision f6e99451 by Natanael Copa on 2013-06-04T11:30:54Z:
main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)
ref #2044
ref #2049
ref #2054
- Revision 793a2f36 by Natanael Copa on 2013-06-04T11:57:28Z:
main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)
ref #2044
ref #2049
ref #2054
fixes #2045
fixes #2050
fixes #2055
(cherry picked from commit f6e99451d47fbe7cdb852f48dd11006808db52ae)
- Revision e466dbbf by Natanael Copa on 2013-06-05T15:04:11Z:
main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)
ref #2044
ref #2049
ref #2054
fixes #2046
fixes #2051
fixes #2056
(cherry picked from commit f6e99451d47fbe7cdb852f48dd11006808db52ae)
Conflicts:
main/xen/APKBUILD
- Revision a2883b66 by Natanael Copa on 2013-06-05T15:08:29Z:
main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)
ref #2044
ref #2049
ref #2054
fixes #2047
fixes #2052
fixes #2057
- Revision 9da25b87 by Natanael Copa on 2013-06-05T15:21:46Z:
main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)
ref #2044
ref #2049
ref #2054
fixes #2048
fixes #2053
fixes #2058