[kernel-xen] Xen Security Advisory 82 (CVE-2013-6885) - Guest triggerable AMD CPU erratum may cause host hang

Steven Haigh netwiz at crc.id.au
Wed Dec 11 12:53:39 EST 2013


             Xen Security Advisory CVE-2013-6885 / XSA-82
                              version 3

          Guest triggerable AMD CPU erratum may cause host hang

UPDATES IN VERSION 3
====================

Early public release.

This issue was predisclosed under embargo by the Xen Project Security
team, on the 27th of November.  We treated the issue as not publicly
known because it was not evident from the public sources that this
erratum constitutes a vulnerability (particularly, that it was a
vulnerability in relation to some Xen configurations).

Since then, the fact that this CPU erratum is likely to constitute a
security problem has been publicly disclosed, on the oss-security
mailing list.

Under the circumstances, and in accordance with the Xen Project
security vulnerability policy, it has been decided that it is no
longer appropriate to retain the embargo, as the key facts are now in
the open.

ISSUE DESCRIPTION
=================

AMD CPU erratum 793 "Specific Combination of Writes to Write Combined
Memory Types and Locked Instructions May Cause Core Hang" describes a
situation under which a CPU core may hang.

IMPACT
======

A malicious guest administrator can mount a denial of service attack
affecting the whole system.

VULNERABLE SYSTEMS
==================

The vulnerability is applicable only to family 16h model 00h-0fh AMD
CPUs.

Such CPUs running Xen versions 3.3 onwards are vulnerable.  We have
not checked earlier versions of Xen.

HVM guests can always exploit the vulnerability if it is present.
PV guests can exploit the vulnerability only if they have been granted
access to physical device(s).

Non-AMD CPUs are not vulnerable.

CREDITS
=======

This issue's security impact was discovered by Jan Beulich.

MITIGATION
==========

This issue can be avoided by neither running HVM guests, nor assigning
PCI devices to PV guests.

RESOLUTION
==========

Fixed in xen-4.2.3-11.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20131211/446633b1/attachment.sig>


More information about the kernel-xen mailing list