Information

AdvisoryXSA-62
Public release 2013-09-24 12:00
Updated 2023-12-15 15:35
Version 3
CVE(s) CVE-2013-1442
Title Information leak on AVX and/or LWP capable CPUs

Files

advisory-62.txt (signed advisory file)
xsa62-4.1.patch
xsa62.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2013-1442 / XSA-62
                              version 3

            Information leak on AVX and/or LWP capable CPUs

UPDATES IN VERSION 3
====================

Normalize version tags

ISSUE DESCRIPTION
=================

When a guest increases the set of extended state components for a vCPU saved/
restored via XSAVE/XRSTOR (to date this can only be the upper halves of YMM
registers, or AMD's LWP state) after already having touched other extended
registers restored via XRSTOR (e.g. floating point or XMM ones) during its
current scheduled CPU quantum, the hypervisor would make those registers
accessible without discarding the values an earlier scheduled vCPU may have
left in them.

IMPACT
======

A malicious domain may be able to leverage this to obtain sensitive information
such as cryptographic keys from another domain.

VULNERABLE SYSTEMS
==================

Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting AVX and/or LWP.  Any kind of guest can exploit the vulnerability.

In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is disabled by
default; therefore systems running these versions are not vulnerable unless
support is explicitly enabled using the "xsave" hypervisor command line option.

Systems using processors supporting neither AVX nor LWP are not vulnerable.

Xen 3.x and earlier are not vulnerable.

MITIGATION
==========

Turning off XSAVE support via the "no-xsave" hypervisor command line option
will avoid the vulnerability.

CREDITS
=======

Jan Beulich discovered this issue.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa62.patch                 Xen 4.2.x, 4.3.x, and xen-unstable
xsa62-4.1.patch             Xen 4.1.x

$ sha256sum xsa62*.patch
3cec8ec26552f2142c044422f1bc0f77892e681d789d1f360ecc06e1d714b6bb  xsa62-4.1.patch
364577f317a714099c068eb1ab771643ada99b5067fdd1eb5149fa5db649b856  xsa62.patch
$
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+kMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZJXsH/Ay3kmrt4tyh21svIsIDRWdUzNqojadGN7N2J0iU
dcptstHdWHzNFbEkDqnm7XoOwvlO/oCfV+BI5ZVUBJDIVFrFtvSe8kgyWCy1g6Vz
5NYl6d3IrCTfVRQtHI/5OA3RXrKrHsLW2vPx2fvAmqiUi82m6z9wQ02iusqH0rET
jxSEiJ9ei5jlnpR/eFbmUIn3HFssx5rgvD2ih82oYuvjXymwZS2sBS2qBbH6fn8W
f8XIrzTdwSKLjsQrYGno/0HiFRv63RD2/NFhw3liBsQcvGLwKPrHWsTmprQhIvKx
JWQ2l+icQtpTETV3mN6bk7kArd3dFUdNwp1N/7SWKuTAIfI=
=JeUb
-----END PGP SIGNATURE-----


Xenproject.org Security Team