xen CVE-2013-2076 Information leak on XSAVE/XRSTOR capable AMD CPUs

reference:
http://www.openwall.com/lists/oss-security/2013/06/03/1

ISSUE DESCRIPTION

On AMD processors supporting XSAVE/XRSTOR (family 15h and up), when an
exception is pending, these instructions save/restore only the FOP,
FIP, and FDP x87 registers in FXSAVE/FXRSTOR. This allows one domain
to determine portions of the state of floating point instructions of
other domains.

NOTE: This is the documented behavior of AMD64 processors, but it is
inconsistent with Intel processors in a security-relevant fashion that
was not addressed by the original implementation of XSAVE support on
Xen.

This vulnerability is similar to CVE-2006-1056, concerning
FXSAVE/FXRSTOR on AMD processors.

IMPACT

A malicious domain may be able to leverage this to obtain sensitive
information such as cryptographic keys from another domain.

VULNERABLE SYSTEMS

Xen 4.0 and onwards are vulnerable when run on systems with AMD
processors supporting XSAVE. Any kind of guest can exploit the
vulnerability.

In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the “xsave”
hypervisor command line option.

Systems not using AMD processors, or using AMD processors not
supporting XSAVE (i.e. families prior to 15h), are not vulnerable.

Xen 3.x and earlier are not vulnerable.

MITIGATION

Turning off XSAVE support via the “no-xsave” hypervisor command line
option will avoid the vulnerability.

RESOLUTION

Applying the attached patch resolves this issue.

xsa52-4.1.patch Xen 4.1.x
xsa52-4.2-unstable.patch Xen 4.2.x, xen-unstable

$ sha256sum xsa52-*.patch
058741aae8881774cfe8f8d193fee9b92da62e61459b1e9617798ccee2ce8d75 xsa52-4.1.patch
5b8582185bf90386729e81db1f7780c69a891b074a87d9a619a90d6f639bea13 xsa52-4.2-unstable.patch

(from redmine: issue id 2044, created on 2013-06-03, closed on 2013-06-06)

Relations:
- child #2045 (closed)
- child #2046 (closed)
- child #2047 (closed)
- child #2048 (closed)
Changesets:
- Revision f6e99451 by Natanael Copa on 2013-06-04T11:30:54Z:

main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)

ref #2044
ref #2049
ref #2054

Revision 793a2f36 by Natanael Copa on 2013-06-04T11:57:28Z:

main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)

ref #2044
ref #2049
ref #2054
fixes #2045
fixes #2050
fixes #2055
(cherry picked from commit f6e99451d47fbe7cdb852f48dd11006808db52ae)

Revision e466dbbf by Natanael Copa on 2013-06-05T15:04:11Z:

main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)

ref #2044
ref #2049
ref #2054
fixes #2046
fixes #2051
fixes #2056
(cherry picked from commit f6e99451d47fbe7cdb852f48dd11006808db52ae)

Conflicts:
	main/xen/APKBUILD

Revision a2883b66 by Natanael Copa on 2013-06-05T15:08:29Z:

main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)

ref #2044
ref #2049
ref #2054
fixes #2047
fixes #2052
fixes #2057

Revision 9da25b87 by Natanael Copa on 2013-06-05T15:21:46Z:

main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078)

ref #2044
ref #2049
ref #2054
fixes #2048
fixes #2053
fixes #2058

Uploads:
- xsa52-4.1.patch
- xsa52-4.2-unstable.patch

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information