[v2.3] xen CVE-2013-2078 Hypervisor crash due to missing exception recovery on XSETBV
Processors do certain validity checks on the register values passed to
XSETBV. For the PV emulation path for that instruction the hypervisor
code didn’t check for certain invalid bit combinations, thus exposing
itself to a fault occurring when invoking that instruction on behalf
of the guest.
Malicious or buggy unprivileged user space can cause the entire host
Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting XSAVE. Only PV guests can exploit the vulnerability.
In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by default; therefore systems running these versions are not
vulnerable unless support is explicitly enabled using the “xsave”
hypervisor command line option.
Systems using processors not supporting XSAVE are not vulnerable.
Xen 3.x and earlier are not vulnerable.
Turning off XSAVE support via the “no-xsave” hypervisor command line
option will avoid the vulnerability.
Applying the attached patch resolves this issue.
xsa54.patch Xen 4.1.x, Xen 4.2.x, xen-unstable
$ sha256sum xsa54-*.patch
(from redmine: issue id 2058, created on 2013-06-03, closed on 2013-06-06)
- parent #2054 (closed)
- Revision 9da25b87 by Natanael Copa on 2013-06-05T15:21:46Z:
main/xen: security fixes (CVE-2013-2076,CVE-2013-2077,CVE-2013-2078) ref #2044 ref #2049 ref #2054 fixes #2048 fixes #2053 fixes #2058