[kernel-xen] Xen Security Advisory 75 - Host crash due to guest VMX instruction execution

Steven Haigh netwiz at crc.id.au
Sun Nov 10 02:14:11 EST 2013


                  Xen Security Advisory XSA-75

           Host crash due to guest VMX instruction execution

ISSUE DESCRIPTION
=================

Permission checks on the emulation paths (intended for guests using
nested virtualization) for VMLAUNCH and VMRESUME were deferred too
much.  The hypervisor would try to use internal state which is not set
up unless nested virtualization is actually enabled for a guest.

IMPACT
======

A malicious or misbehaved HVM guest, including malicious or misbehaved user
mode code run in the guest, might be able to crash the host.

VULNERABLE SYSTEMS
==================

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

Only HVM guests run on VMX capable (e.g. Intel) hardware can take
advantage of this vulnerability.

MITIGATION
==========

Running only PV guests, or running HVM guests on SVM capable
(e.g. AMD) hardware will avoid this issue.

Enabling nested virtualization for a HVM guest running on VMX capable
hardware would also allow avoiding the issue.  However this
functionality is still considered experimental, and is not covered by
security support from the Xen Project security team.  This approach is
therefore not recommended for use in production.

CREDITS
=======

This issue was discovered by Jeff Zimmerman.

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was disclosed publicly on the xen-devel mailing list.

RESOLUTION
==========

Fixed in xen-4.2.3-9

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20131110/c560caed/attachment.sig>


More information about the kernel-xen mailing list