* Re: Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability
[not found] <E1T9C4K-0003Su-2p@mariner.uk.xensource.com>
@ 2012-09-05 9:49 ` Jonathan Tripathy
2012-09-05 9:52 ` Andrew Cooper
2012-09-05 9:57 ` Jan Beulich
0 siblings, 2 replies; 4+ messages in thread
From: Jonathan Tripathy @ 2012-09-05 9:49 UTC (permalink / raw)
To: xen-devel
Is Xen 3.4.x vulnerable?
Thanks
On 05.09.2012 10:38, Xen.org security team wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Xen Security Advisory CVE-2012-3494 / XSA-12
> version 3
>
> hypercall set_debugreg vulnerability
>
> UPDATES IN VERSION 3
> ====================
>
> Public release.
>
> ISSUE DESCRIPTION
> =================
>
> set_debugreg allows writes to reserved bits of the DR7 debug control
> register on x86-64.
>
> IMPACT
> ======
>
> A malicious guest can cause the host to crash, leading to a DoS.
>
> If the vulnerable hypervisor is run on future hardware, the impact of
> the vulnerability might be widened depending on the future assignment
> of the currently-reserved debug register bits.
>
> VULNERABLE SYSTEMS
> ==================
>
> All systems running 64-bit paravirtualised guests.
>
> The vulnerability dates back to at least Xen 4.0. 4.0, 4.1, the 4.2
> RCs, and xen-unstable.hg are all vulnerable.
>
> MITIGATION
> ==========
>
> This issue can be mitigated by ensuring (inside the guest) that the
> kernel is trustworthy, or by running only 32-bit or HVM guests.
>
> RESOLUTION
> ==========
>
> Applying the appropriate attached patch will resolve the issue.
>
> PATCH INFORMATION
> =================
>
> The attached patch resolves this issue:
>
> Xen unstable, 4.1 and 4.0 xsa12-all.patch
>
> $ sha256sum xsa12-all.patch
> 2415ee133e28b1c848c5ae3ce766cc2a67009bad8d026879030a6511b85dbc13
> xsa12-all.patch
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEcBAEBAgAGBQJQRx0+AAoJEIP+FMlX6CvZnMAH/0fcm9nfiChokydCyqXgdKtJ
> U2NqeqKzEP6emwLE+cvc+2EBP40fiBXsNATVdXc6Vx15eyzSMfJD3ndYF9OaKMVH
> MVP6KU/tyK1G/9WgQK9PHBj/Kzp8hwrY0Qw45od7z+R7XMGieLH9l1O1xwkNCYDw
> R8Xy2GI9IqsXLNpwy3BFYSyGYIX9o8/aBx4ZxHCV8H0OYUWv5hDGZZVXPDqGm11c
> N+qmUaPV2QlW8Aoww1SiwW5E+/CpyJT5+awEMgZ4IOHPbCBXJfyXbw4aMM2q5Soe
> mStqvPKL4H10SahaygdjxO+e4NqCHao0rYUXXpUr+aikIXvEearukp3FezR5IUE=
> =/LmZ
> -----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability
2012-09-05 9:49 ` Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability Jonathan Tripathy
@ 2012-09-05 9:52 ` Andrew Cooper
2012-09-05 9:57 ` Jan Beulich
1 sibling, 0 replies; 4+ messages in thread
From: Andrew Cooper @ 2012-09-05 9:52 UTC (permalink / raw)
To: xen-devel
[-- Attachment #1.1: Type: text/plain, Size: 1862 bytes --]
On 05/09/12 10:49, Jonathan Tripathy wrote:
> Is Xen 3.4.x vulnerable?
>
> Thanks
Yes - Vulnerable (tested and fixed) all the way back as far as Xen-3.2
(which is the earliest version that XenServer still creates security
fixes for)
~Andrew
>
> On 05.09.2012 10:38, Xen.org security team wrote:
> Xen Security Advisory CVE-2012-3494 / XSA-12
> version 3
>
> hypercall set_debugreg vulnerability
>
> UPDATES IN VERSION 3
> ====================
>
> Public release.
>
> ISSUE DESCRIPTION
> =================
>
> set_debugreg allows writes to reserved bits of the DR7 debug control
> register on x86-64.
>
> IMPACT
> ======
>
> A malicious guest can cause the host to crash, leading to a DoS.
>
> If the vulnerable hypervisor is run on future hardware, the impact of
> the vulnerability might be widened depending on the future assignment
> of the currently-reserved debug register bits.
>
> VULNERABLE SYSTEMS
> ==================
>
> All systems running 64-bit paravirtualised guests.
>
> The vulnerability dates back to at least Xen 4.0. 4.0, 4.1, the 4.2
> RCs, and xen-unstable.hg are all vulnerable.
>
> MITIGATION
> ==========
>
> This issue can be mitigated by ensuring (inside the guest) that the
> kernel is trustworthy, or by running only 32-bit or HVM guests.
>
> RESOLUTION
> ==========
>
> Applying the appropriate attached patch will resolve the issue.
>
> PATCH INFORMATION
> =================
>
> The attached patch resolves this issue:
>
> Xen unstable, 4.1 and 4.0 xsa12-all.patch
>
> $ sha256sum xsa12-all.patch
> 2415ee133e28b1c848c5ae3ce766cc2a67009bad8d026879030a6511b85dbc13
> xsa12-all.patch
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
--
Andrew Cooper - Dom0 Kernel Engineer, Citrix XenServer
T: +44 (0)1223 225 900, http://www.citrix.com
[-- Attachment #1.2: Type: text/html, Size: 3327 bytes --]
[-- Attachment #2: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability
2012-09-05 9:49 ` Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability Jonathan Tripathy
2012-09-05 9:52 ` Andrew Cooper
@ 2012-09-05 9:57 ` Jan Beulich
1 sibling, 0 replies; 4+ messages in thread
From: Jan Beulich @ 2012-09-05 9:57 UTC (permalink / raw)
To: Jonathan Tripathy; +Cc: xen-devel
>>> On 05.09.12 at 11:49, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:
> Is Xen 3.4.x vulnerable?
All versions supporting x86-64 are vulnerable afaict (checked back
to 3.2.x, but I suppose even 3.0.x would be affected).
Jan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability
@ 2012-09-05 9:38 Xen.org security team
0 siblings, 0 replies; 4+ messages in thread
From: Xen.org security team @ 2012-09-05 9:38 UTC (permalink / raw)
To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 1818 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2012-3494 / XSA-12
version 3
hypercall set_debugreg vulnerability
UPDATES IN VERSION 3
====================
Public release.
ISSUE DESCRIPTION
=================
set_debugreg allows writes to reserved bits of the DR7 debug control
register on x86-64.
IMPACT
======
A malicious guest can cause the host to crash, leading to a DoS.
If the vulnerable hypervisor is run on future hardware, the impact of
the vulnerability might be widened depending on the future assignment
of the currently-reserved debug register bits.
VULNERABLE SYSTEMS
==================
All systems running 64-bit paravirtualised guests.
The vulnerability dates back to at least Xen 4.0. 4.0, 4.1, the 4.2
RCs, and xen-unstable.hg are all vulnerable.
MITIGATION
==========
This issue can be mitigated by ensuring (inside the guest) that the
kernel is trustworthy, or by running only 32-bit or HVM guests.
RESOLUTION
==========
Applying the appropriate attached patch will resolve the issue.
PATCH INFORMATION
=================
The attached patch resolves this issue:
Xen unstable, 4.1 and 4.0 xsa12-all.patch
$ sha256sum xsa12-all.patch
2415ee133e28b1c848c5ae3ce766cc2a67009bad8d026879030a6511b85dbc13 xsa12-all.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJQRx0+AAoJEIP+FMlX6CvZnMAH/0fcm9nfiChokydCyqXgdKtJ
U2NqeqKzEP6emwLE+cvc+2EBP40fiBXsNATVdXc6Vx15eyzSMfJD3ndYF9OaKMVH
MVP6KU/tyK1G/9WgQK9PHBj/Kzp8hwrY0Qw45od7z+R7XMGieLH9l1O1xwkNCYDw
R8Xy2GI9IqsXLNpwy3BFYSyGYIX9o8/aBx4ZxHCV8H0OYUWv5hDGZZVXPDqGm11c
N+qmUaPV2QlW8Aoww1SiwW5E+/CpyJT5+awEMgZ4IOHPbCBXJfyXbw4aMM2q5Soe
mStqvPKL4H10SahaygdjxO+e4NqCHao0rYUXXpUr+aikIXvEearukp3FezR5IUE=
=/LmZ
-----END PGP SIGNATURE-----
[-- Attachment #2: xsa12-all.patch --]
[-- Type: application/octet-stream, Size: 1011 bytes --]
xen: prevent a 64 bit guest setting reserved bits in DR7
The upper 32 bits of this register are reserved and should be written as
zero.
This is XSA-12 / CVE-2012-3494
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
diff -r 353bc0801b11 xen/include/asm-x86/debugreg.h
--- a/xen/include/asm-x86/debugreg.h Mon Aug 06 12:28:03 2012 +0100
+++ b/xen/include/asm-x86/debugreg.h Wed Aug 15 12:00:21 2012 +0100
@@ -58,7 +58,7 @@
We can slow the instruction pipeline for instructions coming via the
gdt or the ldt if we want to. I am not sure why this is an advantage */
-#define DR_CONTROL_RESERVED_ZERO (0x0000d800ul) /* Reserved, read as zero */
+#define DR_CONTROL_RESERVED_ZERO (~0xffff27fful) /* Reserved, read as zero */
#define DR_CONTROL_RESERVED_ONE (0x00000400ul) /* Reserved, read as one */
#define DR_LOCAL_EXACT_ENABLE (0x00000100ul) /* Local exact enable */
#define DR_GLOBAL_EXACT_ENABLE (0x00000200ul) /* Global exact enable */
[-- Attachment #3: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-09-05 9:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <E1T9C4K-0003Su-2p@mariner.uk.xensource.com>
2012-09-05 9:49 ` Xen Security Advisory 12 (CVE-2012-3494) - hypercall set_debugreg vulnerability Jonathan Tripathy
2012-09-05 9:52 ` Andrew Cooper
2012-09-05 9:57 ` Jan Beulich
2012-09-05 9:38 Xen.org security team
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.