ISSUE DESCRIPTION ================= When support for the Intel VMX VMFUNC leaf 0 was added, a new optional function pointer hvmemul_vmfunc was added to the hvm_emulate_ops table. As is intended, that new function pointer is NULL on non-VMX hardware, including AMD SVM hardware. However at a call site, the necessary NULL check was omitted before the indirect function call. IMPACT ====== Malicious guests may cause a hypervisor crash, resulting in a Denial of Service (DoS). VULNERABLE SYSTEMS ================== Xen versions 4.6 and newer are vulnerable. Xen versions 4.5 and earlier are not vulnerable. Only HVM guests can exploit the vulnerability. PV guests cannot exploit the vulnerability. Only x86 systems using SVM (AMD virtualisation extensions) rather than VMX (Intel virtualisation extensions) are vulnerable. This applies to HVM guests on AMD x86 CPUs. Therefore AMD x86 hardware is vulnerable; Intel hardware is not vulnerable. ARM systems are not vulnerable. MITIGATION ========== Running only PV guests will avoid this vulnerability. Running HVM guests on only VMX capable hardware will also avoid this vulnerability. External References: http://xenbits.xen.org/xsa/advisory-203.html Acknowledgements: Name: the Xen project
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1406840]