Information

AdvisoryXSA-444
Public release 2023-10-10 12:00
Updated 2023-10-10 12:09
Version 3
CVE(s) CVE-2023-34327 CVE-2023-34328
Title x86/AMD: Debug Mask handling

Files

advisory-444.txt (signed advisory file)
xsa444-1.patch
xsa444-2.patch
xsa444-4.16-1.patch
xsa444-4.16-2.patch
xsa444-4.17-1.patch
xsa444-4.17-2.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

     Xen Security Advisory CVE-2023-34327,CVE-2023-34328 / XSA-444
                               version 3

                     x86/AMD: Debug Mask handling

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.
Xen supports guests using these extensions.

Unfortunately there are errors in Xen's handling of the guest state, leading
to denials of service.

 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of
    a previous vCPUs debug mask state.

 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT.
    This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock
    up the CPU entirely.

IMPACT
======

For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for
it's own purposes can cause incorrect behaviour in an unrelated HVM
vCPU, most likely resulting in a guest crash.

For CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the
host.

VULNERABLE SYSTEMS
==================

Only AMD/Hygon hardware supporting the DBEXT feature are vulnerable.
This is believed to be the Steamroller microarchitecture and later.

For CVE-2023-34327, Xen versions 4.5 and later are vulnerable.

For CVE-2023-34328, Xen version between 4.5 and 4.13 are vulnerable.
The issue is benign in Xen 4.14 and later owing to an unrelated change.

MITIGATION
==========

For CVE-2023-34327, HVM VMs which can see the DBEXT feature are not
susceptible to running in the wrong state.  By default, VMs will see the
DBEXT feature on capable hardware, and when not explicitly levelled for
migration compatibility.

For CVE-2023-34328, PV VMs which cannot see the DBEXT feature cannot
leverage the vulnerability.

CREDITS
=======

This issue was discovered by Andrew Cooper of XenServer.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa444-?.patch           xen-unstable
xsa444-4.17-?.patch      Xen 4.17.x
xsa444-4.16-?.patch      Xen 4.16.x - Xen 4.15.x

$ sha256sum xsa444*
d1a10243d08295ffed2721aaa150efad9e9bd624428f0c24d04e69435a8ddc2e  xsa444-1.patch
9ce44c08030780c2e0432169ce679da0a5793ee254e38a0dbe506edf5f1587fd  xsa444-2.patch
ff0142be5b71679df0f425ea8f74e77589db5b5312e631541d2ab7968b9ea779  xsa444-4.16-1.patch
4ecf44680bd95fb4adddb1c5ced21e8b2754bca2f5cf3e028cf6ea3d9a90d239  xsa444-4.16-2.patch
9c1244f06c2cd0ad4c2023d224363d5d4ad063d80f8682ee66056520cabfb52d  xsa444-4.17-1.patch
18dcbb62b5c5f1fba205cfbc83f3b4b1ffa39490bbfd1f1263320f8aef16e83c  xsa444-4.17-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUlNO0MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZoGcH+gMuZqrzWTDFKflh1MO9EPI5iQzyJgQEHicacoBP
rO6gAUMQ2OvgqM1CO6e7qZ7qU+CPP2dfp1aR+Zxz0ynzeku2cVJY1SiAhZ+ZODso
pBZg/3DKtX0kGP27nStInbZQu2TGfTUQLJ80sYxb3A7Fl8uGWmlCFuZoYGK7R9+P
KU2sutmFJJipQVoQm38AQmTed1f+xjtX3AGwWFNGnuHkAC9pQGCQ29YL7wqhtvjw
FndF1aLLVCX5Wt6LIK6K5z8DncfrDTwXDha3XMbFmY37HGOOa96jTPJhThmnYEU1
SWc43m9HnCiP/DdBeQ9t2JmVVkx8Qc5kZQigFdpQ0aR/wj8=
=n97C
-----END PGP SIGNATURE-----


Xenproject.org Security Team