Bug 1284941 - (xsa161) xen: Missing XSETBV intercept privilege check on AMD SVM leading to DoS
xen: Missing XSETBV intercept privilege check on AMD SVM leading to DoS
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 1284949
  Show dependency treegraph
Reported: 2015-11-24 08:59 EST by Adam Mariš
Modified: 2017-10-19 08:33 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-26 03:57:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x (1.02 KB, patch)
2015-11-24 08:59 EST, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2015-11-24 08:59:26 EST
XSETBV is a privileged instruction, i.e. should result in #GP when issued by code running at other than the most privileged level (CPL 0). Unlike other privileged and intercepted instructions in AMD SVM, XSETBV has the privilege level check done after the intercept check, resulting in the need for software to do the checking instead. This software check was missing.

User mode code of HVM guests running on AVX-capable AMD hardware may effect changes to the set of enabled AVX sub-features in the guest, potentially confusing the guest kernel, likely resulting in crash and hence a Denial of Service to the guest. Other attacks, namely privilege escalation (again inside the guest only), cannot be ruled out.

Xen versions from 4.1 onwards are affected. Only x86 AMD systems supporting AVX are affected. Intel systems as well as ARM ones are unaffected. Only HVM guest user mode code can leverage this vulnerability.

Running only PV guests will avoid this vulnerability. Running HVM guests on only Intel hardware will also avoid this vulnerability.
Comment 1 Adam Mariš 2015-11-24 08:59 EST
Created attachment 1098209 [details]
xen-unstable, Xen 4.6.x, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x
Comment 2 Adam Mariš 2015-11-26 03:57:07 EST
Upon further inspection the necessary privilege level check is present in the generic code which handles XSETBV and therefore there is no vulnerability in any version of Xen. XSA-161 advisory is therefore withdrawn.
Comment 3 Adam Mariš 2015-11-26 04:08:16 EST

Not vulnerable. This issue did not affect the versions of Xen as shipped with Red Hat Enterprise Linux 5.
Comment 4 Adam Mariš 2015-11-26 04:09:02 EST

Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Jan Beulich of SUSE as the original reporter.
Comment 5 Martin Prpič 2015-12-08 07:41:01 EST
External References:


Note You need to log in before you can comment on or make changes to this bug.