Bug 1088585 (CVE-2014-3125)

Summary: CVE-2014-3125 xen: arm: Hardware timer context is not properly context switched (xsa-91)
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: drjones, imammedo, pbonzini, rkrcmar, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-16 20:04:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1088255    

Description Petr Matousek 2014-04-16 20:03:11 UTC 
When running on an ARM platform Xen was not context switching the
CNTKCTL_EL1 register, which is used by the guest kernel to control
access by userspace processes to the hardware timers. This meant that
any guest can reconfigure these settings for the entire system.

A malicious guest kernel can reconfigure CNTKCTL_EL1 to block
userspace access to the timer hardware for all domains, including
control domains. Depending on the other guest kernels in use this may
cause an unexpected exception in those guests which may lead to a
kernel crash and therefore a denial of service.

64-bit ARM Linux is known to be susceptible to crashing in this way.

A malicious guest kernel can also enable userspace access to the timer
control registers, which may not be expected by kernels running in
other domains. This can allow user processes to reprogram timer
interrupts and therefore lead to unexpected behaviour, potentially up
to and including crashing the guest. Userspace processes will also be
able to read the current timestamp value for the domain perhaps
leaking information to those processes.

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.
Comment 1 Petr Matousek 2014-04-16 20:04:02 UTC 
Statement:

Not vulnerable.

This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5.
Comment 3 Murray McAllister 2014-05-01 07:47:01 UTC 
MITRE assigned CVE-2014-3125 to this issue:

http://seclists.org/oss-sec/2014/q2/209