Information

Advisory	XSA-44
Public release	2013-04-18 12:00
Updated	2013-04-18 13:50
Version	3
CVE(s)	CVE-2013-1917
Title	Xen PV DoS vulnerability with SYSENTER

Files

advisory-44.txt (signed advisory file)
xsa44-4.0.patch
xsa44-4.1.patch
xsa44-4.2.patch
xsa44-unstable.patch

Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-1917 / XSA-44
                              version 3

                Xen PV DoS vulnerability with SYSENTER

UPDATES IN VERSION 3
====================

Backported patch for 4.0 now available.

ISSUE DESCRIPTION
=================

The SYSENTER instruction can be used by PV guests to accelerate system
call processing. This instruction, however, leaves the EFLAGS register
mostly unmodified - in particular, the NT flag doesn't get cleared. If
the hypervisor subsequently uses IRET to return to the guest (which it
will always do if the guest is a 32-bit one), that instruction will
cause a #GP fault to be raised, but the recovery code in the
hypervisor will again try to use IRET without intermediately clearing
the NT flag. The #GP fault raised on this second IRET is a fatal
event, causing the hypervisor to crash.

IMPACT
======

Malicious or buggy unprivileged user space can cause the entire host to crash.

VULNERABLE SYSTEMS
==================

All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are
vulnerable.  32-bit Xen is not affected, as it doesn't permit the use
of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn't affected
since AMD CPUs don't allow the use of SYSENTER in long mode.

The vulnerability is only exposed by PV guests.

MITIGATION
==========

Running only HVM guests, or running PV guests on only 32-bit hosts or only AMD
CPUs will avoid this vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa44-4.0.patch             Xen 4.0.x
xsa44-4.1.patch             Xen 4.1.x
xsa44-4.2.patch             Xen 4.2.x
xsa44-unstable.patch        xen-unstable

$ sha256sum xsa44*.patch
4de554d29adbae41a65d401becd9d074be27932ad9f3e0ed78ecb89de3ed35b5  xsa44-4.0.patch
3dbf47224be0f8fc66ba08d8a46b910bd9a3e672ffe864aa77c698bef0e27783  xsa44-4.1.patch
c6c3afa228426d78e0484b7ac34210f642f79add35c4a04ca5ff7db5f2539e49  xsa44-4.2.patch
0e6ad83da75dc207a165411844c0985fd7f9588d92c2c95911c245485351bf36  xsa44-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRb/oqAAoJEIP+FMlX6CvZ9EYH/2OAz/GRAX4A2Y52HoUfslN9
lZa4YNJOtPOuLITMeapu7MXBgRJYA/GPFzfBVlAoPNQTNpUD0Mfxvwz9mVGIUtNX
t0Mriz/oFGDqHzvz3rksmvG9y6tMfwa++srXms/uTXd3T1CxeGIHA4hMuvCRkMAU
HQHQ1pfsK6XGHV+ITeJVBGEwKh+aDxBfqIXDU1yhgTA9djpsHXWNAsu5mNRBsb0i
zMVxZg+x1maHhxigLwsEm1poxneWhkq+0pvTo/hCdK2XcK9NaUXNAALMZfQn5kgK
IwaC52V3FJSxErIWlZz6IW6Zq4tugzu/VJ92hrM0fubd04mfFG15+buc+NdUmvk=
=qSef
-----END PGP SIGNATURE-----

Xenproject.org Security Team