[v2.3] xen CVE-2013-2077 Hypervisor crash due to missing exception recovery on XRSTOR
Processors do certain validity checks on the data passed to XRSTOR.
While the hypervisor controls the placement of that memory block, it
doesn’t restrict the contents in any way. Thus the hypervisor exposes
itself to a fault occurring on XRSTOR. Other than for FXRSTOR, which
behaves similarly, there was no exception recovery code attached to
Malicious or buggy unprivileged user space can cause the entire host
Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting XSAVE. Only PV guests can exploit the vulnerability; for
HVM guests only the control tools have access to the respective
In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the “xsave”
hypervisor command line option.
Systems using processors not supporting XSAVE are not vulnerable.
Xen 3.x and earlier are not vulnerable.
Turning off XSAVE support via the “no-xsave” hypervisor command line
option will avoid the vulnerability.
Applying the attached patch resolves this issue.
xsa53-4.1.patch Xen 4.1.x
xsa53-4.2.patch Xen 4.2.x
$ sha256sum xsa53-*.patch
(from redmine: issue id 2053, created on 2013-06-03, closed on 2013-06-06)
- parent #2049 (closed)
- Revision 9da25b87 by Natanael Copa on 2013-06-05T15:21:46Z:
main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078) ref #2044 ref #2049 ref #2054 fixes #2048 fixes #2053 fixes #2058