Red Hat Bugzilla – Bug 1284941
xen: Missing XSETBV intercept privilege check on AMD SVM leading to DoS
Last modified: 2015-12-08 07:44:48 EST
XSETBV is a privileged instruction, i.e. should result in #GP when issued by code running at other than the most privileged level (CPL 0). Unlike other privileged and intercepted instructions in AMD SVM, XSETBV has the privilege level check done after the intercept check, resulting in the need for software to do the checking instead. This software check was missing.
User mode code of HVM guests running on AVX-capable AMD hardware may effect changes to the set of enabled AVX sub-features in the guest, potentially confusing the guest kernel, likely resulting in crash and hence a Denial of Service to the guest. Other attacks, namely privilege escalation (again inside the guest only), cannot be ruled out.
Xen versions from 4.1 onwards are affected. Only x86 AMD systems supporting AVX are affected. Intel systems as well as ARM ones are unaffected. Only HVM guest user mode code can leverage this vulnerability.
Running only PV guests will avoid this vulnerability. Running HVM guests on only Intel hardware will also avoid this vulnerability.
Created attachment 1098209 [details]
xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x
Upon further inspection the necessary privilege level check is present in the generic code which handles XSETBV and therefore there is no vulnerability in any version of Xen. XSA-161 advisory is therefore withdrawn.
Not vulnerable. This issue did not affect the versions of Xen as shipped with Red Hat Enterprise Linux 5.
Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Jan Beulich of SUSE as the original reporter.