Bug 1317969 (CVE-2016-3158, CVE-2016-3159, xsa172)

Summary: CVE-2016-3158 CVE-2016-3159 xen: AMD FPU FIP/FDP/FOP leak workaround broken (XSA-172)
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, drjones, imammedo, knoel, mrezanin, pbonzini, pmatouse, rkrcmar, security-response-team, vkuznets
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-05 08:19:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1321944    
Bug Blocks: 1317974    
Attachments:
Description Flags
upstream patch none

Description Andrej Nemec 2016-03-15 16:10:30 UTC 
ISSUE DESCRIPTION
=================

There is a workaround in Xen to deal with the fact that AMD CPUs don't
load the x86 registers FIP (and possibly FCS), FDP (and possibly FDS),
and FOP from memory (via XRSTOR or FXRSTOR) when there is no pending
unmasked exception.

However, this workaround does not cover all possible input cases.
This is because writes to the hardware FSW.ES bit, which the current
workaround is based on, are ignored; instead, the CPU calculates
FSW.ES from the pending exception and exception mask bits.  Xen
therefore needs to do the same.

Note that part of said workaround was the subject of XSA-52.

IMPACT
======

A malicious domain may be able to leverage this to obtain sensitive
information such as cryptographic keys from another domain.

VULNERABLE SYSTEMS
==================

Xen versions 4.0 and onwards are vulnerable.  Any kind of guest can
exploit the vulnerability.

The vulnerability is exposed only on AMD x86 systems.  Intel and ARM
systems do not expose this vulnerability.

Both PV and HVM guests are affected.

MITIGATION
==========

The vulnerability can be avoided if the guest kernel is controlled by
the host rather than guest administrator, provided that further steps
are taken to prevent the guest administrator from loading code into
the kernel (e.g. by disabling loadable modules etc) or from using
other mechanisms which allow them to run code at kernel privilege.

On Xen versions 4.3 and earlier, turning off XSAVE support via the
"no-xsave" hypervisor command line option will avoid the vulnerability.

On Xen versions 4.4 and onwards there is no other known mitigation.
Comment 1 Andrej Nemec 2016-03-15 16:13:24 UTC 
Created attachment 1136653 [details]
upstream patch

This patch covers versions:

xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x
Comment 2 Andrej Nemec 2016-03-15 16:15:53 UTC 
Acknowledgments:

Name: the Xen project
Comment 3 Andrej Nemec 2016-03-16 15:24:01 UTC 
UPDATES IN VERSION 2
====================

CVEs assigned.

Impact is less severe than previously thought: sensitive information
is very unlikely to reside in the leaked registers.

NOTE REGARDING CVE
==================

CVE-2016-3158 is for the code change which is required for all
versions (but which is sufficient only on Xen 4.3.x, and insufficient
on later versions).  Ie for the second hunk in xsa172.patch (the only
hunk in xsa172-4.3.patch), which patches the function xrstor.

CVE-2016-3159 is for the code change which is applicable for later
versions only, but which must always be combined with the code change
for CVE-2016-3158.  Ie for the first hunk in xsa172.patch, which
patches the function fpu_fxrstor.
Comment 4 Adam Mariš 2016-03-29 12:32:26 UTC 
External Reference:

http://xenbits.xen.org/xsa/advisory-172.html
Comment 5 Adam Mariš 2016-03-29 12:33:40 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1321944]
Comment 6 Fedora Update System 2016-04-09 14:22:35 UTC 
xen-4.5.3-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-04-09 14:23:39 UTC 
xen-4.5.3-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Petr Matousek 2017-09-05 08:19:33 UTC 
Statement:

This issue does not affect the Xen hypervisor packages as shipped with Red Hat Enterprise Linux 5.