From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xen.org security team Subject: DRAFT XSA 75 - Host crash due to guest VMX instruction execution Date: Fri, 08 Nov 2013 11:57:55 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8" Content-Transfer-Encoding: binary Return-path: Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VekhS-0004QH-FF for xen-devel@lists.xenproject.org; Fri, 08 Nov 2013 11:58:06 +0000 List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: security@xenproject.org, xen-devel@lists.xenproject.org, Jeff_Zimmerman@McAfee.com, andrew.cooper3@citrix.com Cc: "Xen.org security team" List-Id: xen-devel@lists.xenproject.org --=separator Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit ***** DRAFT DRAFT DRAFT ***** Xen Security Advisory XSA-75 Host crash due to guest VMX instruction execution ISSUE DESCRIPTION ================= Permission checks on the emulation paths (intended for guests using nested virtualization) for VMLAUNCH and VMRESUME were deferred too much. The hypervisor would try to use internal state which is not set up unless nested virtualization is actually enabled for a guest. IMPACT ====== A malicious or misbehaved HVM guest, including malicious or misbehaved user mode code run in the guest, might be able to crash the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only HVM guests run on VMX capable (e.g. Intel) hardware can take advantage of this vulnerability. MITIGATION ========== Running only PV guests, or running HVM guests on SVM capable (e.g. AMD) hardware will avoid this issue. Enabling nested virtualization for a HVM guest running on VMX capable hardware would also allow avoiding the issue. However this functionality is still considered experimental, and is not covered by security support from the Xen Project security team. This approach is therefore not recommended for use in production. CREDITS ======= This issue was discovered by Jeff Zimmerman. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa75-4.3-unstable.patch Xen 4.3.x, xen-unstable xsa75-4.2.patch Xen 4.2.x $ sha256sum xsa75*.patch 0b2da4ede6507713c75e313ba468b1fd7110e5696974ab72e2135f41ee393a8b xsa75-4.2.patch 91936421279fd2fa5321d9ed5a2b71fe76bc0e1348e67126e8b9cde0cb1d32b2 xsa75-4.3-unstable.patch $ --=separator Content-Type: application/octet-stream; name="xsa75-4.2.patch" Content-Disposition: attachment; filename="xsa75-4.2.patch" Content-Transfer-Encoding: base64 bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz LgoKVGhpcyBpcyBYU0EtNzUuCgpSZXBvcnRlZC1hbmQtdGVzdGVkLWJ5OiBK ZWZmIFppbW1lcm1hbiA8SmVmZl9aaW1tZXJtYW5ATWNBZmVlLmNvbT4KU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpS ZXZpZXdlZC1hbmQtdGVzdGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcu Y29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS92 bXgvdnZteC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYwpA QCAtMTA3NSwxNSArMTA3NSwxMCBAQCBpbnQgbnZteF9oYW5kbGVfdm14b2Zm KHN0cnVjdCBjcHVfdXNlcl9yCiAgICAgcmV0dXJuIFg4NkVNVUxfT0tBWTsK IH0KIAotaW50IG52bXhfdm1yZXN1bWUoc3RydWN0IHZjcHUgKnYsIHN0cnVj dCBjcHVfdXNlcl9yZWdzICpyZWdzKQorc3RhdGljIGludCBudm14X3ZtcmVz dW1lKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn cykKIHsKICAgICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14ID0gJnZjcHVfMl9u dm14KHYpOwogICAgIHN0cnVjdCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2Y3B1 X25lc3RlZGh2bSh2KTsKLSAgICBpbnQgcmM7Ci0KLSAgICByYyA9IHZteF9p bnN0X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKLSAgICBpZiAoIHJjICE9 IFg4NkVNVUxfT0tBWSApCi0gICAgICAgIHJldHVybiByYzsKIAogICAgIC8q IGNoZWNrIFZNQ1MgaXMgdmFsaWQgYW5kIElPIEJJVE1BUCBpcyBzZXQgKi8K ICAgICBpZiAoIChudmNwdS0+bnZfdnZtY3hhZGRyICE9IFZNQ1hfRUFERFIp ICYmCkBAIC0xMTAwLDYgKzEwOTUsMTAgQEAgaW50IG52bXhfaGFuZGxlX3Zt cmVzdW1lKHN0cnVjdCBjcHVfdXNlcgogewogICAgIGludCBsYXVuY2hlZDsK ICAgICBzdHJ1Y3QgdmNwdSAqdiA9IGN1cnJlbnQ7CisgICAgaW50IHJjID0g dm14X2luc3RfY2hlY2tfcHJpdmlsZWdlKHJlZ3MsIDApOworCisgICAgaWYg KCByYyAhPSBYODZFTVVMX09LQVkgKQorICAgICAgICByZXR1cm4gcmM7CiAK ICAgICBpZiAoIHZjcHVfbmVzdGVkaHZtKHYpLm52X3Z2bWN4YWRkciA9PSBW TUNYX0VBRERSICkKICAgICB7CkBAIC0xMTE5LDggKzExMTgsMTEgQEAgaW50 IG52bXhfaGFuZGxlX3ZtcmVzdW1lKHN0cnVjdCBjcHVfdXNlcgogaW50IG52 bXhfaGFuZGxlX3ZtbGF1bmNoKHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdz KQogewogICAgIGludCBsYXVuY2hlZDsKLSAgICBpbnQgcmM7CiAgICAgc3Ry dWN0IHZjcHUgKnYgPSBjdXJyZW50OworICAgIGludCByYyA9IHZteF9pbnN0 X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKKworICAgIGlmICggcmMgIT0g WDg2RU1VTF9PS0FZICkKKyAgICAgICAgcmV0dXJuIHJjOwogCiAgICAgaWYg KCB2Y3B1X25lc3RlZGh2bSh2KS5udl92dm1jeGFkZHIgPT0gVk1DWF9FQURE UiApCiAgICAgewo= --=separator Content-Type: application/octet-stream; name="xsa75-4.3-unstable.patch" Content-Disposition: attachment; filename="xsa75-4.3-unstable.patch" Content-Transfer-Encoding: base64 bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz LgoKVGhpcyBpcyBYU0EtNzUuCgpSZXBvcnRlZC1hbmQtdGVzdGVkLWJ5OiBK ZWZmIFppbW1lcm1hbiA8SmVmZl9aaW1tZXJtYW5ATWNBZmVlLmNvbT4KU2ln bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpS ZXZpZXdlZC1hbmQtdGVzdGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcu Y29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS92 bXgvdnZteC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYwpA QCAtMTUwOSwxNSArMTUwOSwxMCBAQCBzdGF0aWMgdm9pZCBjbGVhcl92dm1j c19sYXVuY2hlZChzdHJ1Y3QgCiAgICAgfQogfQogCi1pbnQgbnZteF92bXJl c3VtZShzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJl Z3MpCitzdGF0aWMgaW50IG52bXhfdm1yZXN1bWUoc3RydWN0IHZjcHUgKnYs IHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIHN0cnVjdCBu ZXN0ZWR2bXggKm52bXggPSAmdmNwdV8yX252bXgodik7CiAgICAgc3RydWN0 IG5lc3RlZHZjcHUgKm52Y3B1ID0gJnZjcHVfbmVzdGVkaHZtKHYpOwotICAg IGludCByYzsKLQotICAgIHJjID0gdm14X2luc3RfY2hlY2tfcHJpdmlsZWdl KHJlZ3MsIDApOwotICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkKLSAg ICAgICAgcmV0dXJuIHJjOwogCiAgICAgLyogY2hlY2sgVk1DUyBpcyB2YWxp ZCBhbmQgSU8gQklUTUFQIGlzIHNldCAqLwogICAgIGlmICggKG52Y3B1LT5u dl92dm1jeGFkZHIgIT0gVk1DWF9FQUREUikgJiYKQEAgLTE1MzYsNiArMTUz MSwxMCBAQCBpbnQgbnZteF9oYW5kbGVfdm1yZXN1bWUoc3RydWN0IGNwdV91 c2VyCiAgICAgc3RydWN0IHZjcHUgKnYgPSBjdXJyZW50OwogICAgIHN0cnVj dCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2Y3B1X25lc3RlZGh2bSh2KTsKICAg ICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14ID0gJnZjcHVfMl9udm14KHYpOwor ICAgIGludCByYyA9IHZteF9pbnN0X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAw KTsKKworICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkKKyAgICAgICAg cmV0dXJuIHJjOwogCiAgICAgaWYgKCB2Y3B1X25lc3RlZGh2bSh2KS5udl92 dm1jeGFkZHIgPT0gVk1DWF9FQUREUiApCiAgICAgewpAQCAtMTU1NSwxMCAr MTU1NCwxMyBAQCBpbnQgbnZteF9oYW5kbGVfdm1yZXN1bWUoc3RydWN0IGNw dV91c2VyCiBpbnQgbnZteF9oYW5kbGVfdm1sYXVuY2goc3RydWN0IGNwdV91 c2VyX3JlZ3MgKnJlZ3MpCiB7CiAgICAgYm9vbF90IGxhdW5jaGVkOwotICAg IGludCByYzsKICAgICBzdHJ1Y3QgdmNwdSAqdiA9IGN1cnJlbnQ7CiAgICAg c3RydWN0IG5lc3RlZHZjcHUgKm52Y3B1ID0gJnZjcHVfbmVzdGVkaHZtKHYp OwogICAgIHN0cnVjdCBuZXN0ZWR2bXggKm52bXggPSAmdmNwdV8yX252bXgo dik7CisgICAgaW50IHJjID0gdm14X2luc3RfY2hlY2tfcHJpdmlsZWdlKHJl Z3MsIDApOworCisgICAgaWYgKCByYyAhPSBYODZFTVVMX09LQVkgKQorICAg ICAgICByZXR1cm4gcmM7CiAKICAgICBpZiAoIHZjcHVfbmVzdGVkaHZtKHYp Lm52X3Z2bWN4YWRkciA9PSBWTUNYX0VBRERSICkKICAgICB7Cg== --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --=separator--