DRAFT XSA 75 - Host crash due to guest VMX instruction execution

[Xen.org security team <security@xen.org>]

[-- Attachment #1: Type: text/plain, Size: 1838 bytes --]

***** DRAFT DRAFT DRAFT *****

                  Xen Security Advisory XSA-75

           Host crash due to guest VMX instruction execution

ISSUE DESCRIPTION
=================

Permission checks on the emulation paths (intended for guests using
nested virtualization) for VMLAUNCH and VMRESUME were deferred too
much.  The hypervisor would try to use internal state which is not set
up unless nested virtualization is actually enabled for a guest.

IMPACT
======

A malicious or misbehaved HVM guest, including malicious or misbehaved user
mode code run in the guest, might be able to crash the host.

VULNERABLE SYSTEMS
==================

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

Only HVM guests run on VMX capable (e.g. Intel) hardware can take
advantage of this vulnerability.

MITIGATION
==========

Running only PV guests, or running HVM guests on SVM capable
(e.g. AMD) hardware will avoid this issue.

Enabling nested virtualization for a HVM guest running on VMX capable
hardware would also allow avoiding the issue.  However this
functionality is still considered experimental, and is not covered by
security support from the Xen Project security team.  This approach is
therefore not recommended for use in production.

CREDITS
=======

This issue was discovered by Jeff Zimmerman.

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was disclosed publicly on the xen-devel mailing list.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa75-4.3-unstable.patch    Xen 4.3.x, xen-unstable
xsa75-4.2.patch             Xen 4.2.x

$ sha256sum xsa75*.patch
0b2da4ede6507713c75e313ba468b1fd7110e5696974ab72e2135f41ee393a8b  xsa75-4.2.patch
91936421279fd2fa5321d9ed5a2b71fe76bc0e1348e67126e8b9cde0cb1d32b2  xsa75-4.3-unstable.patch
$

[-- Attachment #2: xsa75-4.2.patch --]
[-- Type: application/octet-stream, Size: 1586 bytes --]

nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing

Otherwise uninitialized data may be used, leading to crashes.

This is XSA-75.

Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com>

--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -1075,15 +1075,10 @@ int nvmx_handle_vmxoff(struct cpu_user_r
     return X86EMUL_OKAY;
 }
 
-int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
+static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
 {
     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
-    int rc;
-
-    rc = vmx_inst_check_privilege(regs, 0);
-    if ( rc != X86EMUL_OKAY )
-        return rc;
 
     /* check VMCS is valid and IO BITMAP is set */
     if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
@@ -1100,6 +1095,10 @@ int nvmx_handle_vmresume(struct cpu_user
 {
     int launched;
     struct vcpu *v = current;
+    int rc = vmx_inst_check_privilege(regs, 0);
+
+    if ( rc != X86EMUL_OKAY )
+        return rc;
 
     if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
     {
@@ -1119,8 +1118,11 @@ int nvmx_handle_vmresume(struct cpu_user
 int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
 {
     int launched;
-    int rc;
     struct vcpu *v = current;
+    int rc = vmx_inst_check_privilege(regs, 0);
+
+    if ( rc != X86EMUL_OKAY )
+        return rc;
 
     if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
     {

[-- Attachment #3: xsa75-4.3-unstable.patch --]
[-- Type: application/octet-stream, Size: 1747 bytes --]

nested VMX: VMLANUCH/VMRESUME emulation must check permission first thing

Otherwise uninitialized data may be used, leading to crashes.

This is XSA-75.

Reported-and-tested-by: Jeff Zimmerman <Jeff_Zimmerman@McAfee.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-and-tested-by: Andrew Cooper <andrew.cooper3@citrix.com>

--- a/xen/arch/x86/hvm/vmx/vvmx.c
+++ b/xen/arch/x86/hvm/vmx/vvmx.c
@@ -1509,15 +1509,10 @@ static void clear_vvmcs_launched(struct 
     }
 }
 
-int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
+static int nvmx_vmresume(struct vcpu *v, struct cpu_user_regs *regs)
 {
     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
-    int rc;
-
-    rc = vmx_inst_check_privilege(regs, 0);
-    if ( rc != X86EMUL_OKAY )
-        return rc;
 
     /* check VMCS is valid and IO BITMAP is set */
     if ( (nvcpu->nv_vvmcxaddr != VMCX_EADDR) &&
@@ -1536,6 +1531,10 @@ int nvmx_handle_vmresume(struct cpu_user
     struct vcpu *v = current;
     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
+    int rc = vmx_inst_check_privilege(regs, 0);
+
+    if ( rc != X86EMUL_OKAY )
+        return rc;
 
     if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
     {
@@ -1555,10 +1554,13 @@ int nvmx_handle_vmresume(struct cpu_user
 int nvmx_handle_vmlaunch(struct cpu_user_regs *regs)
 {
     bool_t launched;
-    int rc;
     struct vcpu *v = current;
     struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v);
     struct nestedvmx *nvmx = &vcpu_2_nvmx(v);
+    int rc = vmx_inst_check_privilege(regs, 0);
+
+    if ( rc != X86EMUL_OKAY )
+        return rc;
 
     if ( vcpu_nestedhvm(v).nv_vvmcxaddr == VMCX_EADDR )
     {

[-- Attachment #4: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel