'[oss-security] Xen Security Advisory 82 (CVE-2013-6885) - Guest triggerable AMD CPU erratum may caus'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Xen Security Advisory 82 (CVE-2013-6885) - Guest triggerable AMD CPU erratum may caus
From:       Xen.org security team <security () xen ! org>
Date:       2014-02-19 16:55:24
Message-ID: E1WGAQe-0003PS-Bl () xenbits ! xen ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-6885 / XSA-82
                              version 4

          Guest triggerable AMD CPU erratum may cause host hang

UPDATES IN VERSION 4
====================

The original fix for 4.2.x and 4.1.x was found to deal with 64-bit
hypervisors only. Incremental patches to also address 32-bit ones are
now being provided in addition.

ISSUE DESCRIPTION
=================

AMD CPU erratum 793 "Specific Combination of Writes to Write Combined
Memory Types and Locked Instructions May Cause Core Hang" describes a
situation under which a CPU core may hang.

IMPACT
======

A malicious guest administrator can mount a denial of service attack
affecting the whole system.

VULNERABLE SYSTEMS
==================

The vulnerability is applicable only to family 16h model 00h-0fh AMD
CPUs.

Such CPUs running Xen versions 3.3 onwards are vulnerable.  We have
not checked earlier versions of Xen.

HVM guests can always exploit the vulnerability if it is present.
PV guests can exploit the vulnerability only if they have been granted
access to physical device(s).

Non-AMD CPUs are not vulnerable.

CREDITS
=======

This issue's security impact was discovered by Jan Beulich.

MITIGATION
==========

This issue can be avoided by neither running HVM guests, nor assigning
PCI devices to PV guests.

RESOLUTION
==========

The attached xsa82.patch contains a software workaround which resolves
this issue for 64-bit hypervisors. To also resolve the issue on 32-bit
hypervisors (Xen 4.2.x and 4.1.x only), the respective attached
xsa82-4.?-32bit.patch needs to be applied on top.

Alternatively, the recommended workaround can be implemented in
firmware, so a suitable firmware update will resolve the issue.
If you require a firmware update please consult your vendor.

xsa82.patch             Xen 4.1.x, Xen 4.2.x, Xen 4.3.x, xen-unstable
xsa82-4.1-32bit.patch   Xen 4.1.x
xsa82-4.2-32bit.patch   Xen 4.2.x

$ sha256sum xsa82*.patch
b0fb0289e1da965bc038993e07af4ba78cb746ed8f1a1865f5fec9de7299faa7  xsa82-4.1-32bit.patch
18f2ba14131975b45688e3c5f4c0a85bd78cf089c3d83ae81f86e149b8c538d6  xsa82-4.2-32bit.patch
0a58f3564ca91fd2668c202446c607fdb1ec8643e558a3921046d43675f58c08  xsa82.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTBOHNAAoJEIP+FMlX6CvZ6TIIAMS1oTljW2yAB9daiY5P0UBf
u4X+NTUUUO6DiKLakBFjmS01oB7pApSCHmnqUqgFXlbo8KJsz3qtCLWe+IHH0Kex
8ofL/pDedcHm7bSkXCcncz8xVCqPbPrgVV+bwDXHru65/jxf0XDvPRT9af4N2eGY
wlngDFDaWLuozjOqp2mtaOSiqbUc2r43BOalMl6om2BFbF8BEBpPBkcLRxUvsQX0
noZMbknQ36mb0/+dC+pHCUfcUuLquaGNx+I+UF4HXSUdxhVniCD8hzmDxRR9i5Dn
S/g9z72LDF0cISL2K4B/iwRiCjOozHqbNimSAWuWTgj3dAWu8dClI3SQyFpOgxY=
=ie9o
-----END PGP SIGNATURE-----

["xsa82-4.1-32bit.patch" (application/octet-stream)]

x86/AMD: work around erratum 793 for 32-bit

The original change went into a 64-bit only code section, thus leaving
the issue unfixed on 32-bit. Re-order code to address this.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>

--- a/xen/arch/x86/cpu/amd.c
+++ b/xen/arch/x86/cpu/amd.c
@@ -649,6 +649,18 @@ static void __devinit init_amd(struct cp
 		       "*** Pass \"allow_unsafe\" if you're trusting"
 		       " all your (PV) guest kernels. ***\n");
 
+	/* AMD CPUs do not support SYSENTER outside of legacy mode. */
+	clear_bit(X86_FEATURE_SEP, c->x86_capability);
+
+	if (c->x86 == 0x10) {
+		/* do this for boot cpu */
+		if (c == &boot_cpu_data)
+			check_enable_amd_mmconf_dmi();
+
+		fam10h_check_enable_mmcfg();
+	}
+#endif
+
 	if (c->x86 == 0x16 && c->x86_model <= 0xf) {
 		rdmsrl(MSR_AMD64_LS_CFG, value);
 		if (!(value & (1 << 15))) {
@@ -663,18 +675,6 @@ static void __devinit init_amd(struct cp
 		}
 	}
 
-	/* AMD CPUs do not support SYSENTER outside of legacy mode. */
-	clear_bit(X86_FEATURE_SEP, c->x86_capability);
-
-	if (c->x86 == 0x10) {
-		/* do this for boot cpu */
-		if (c == &boot_cpu_data)
-			check_enable_amd_mmconf_dmi();
-
-		fam10h_check_enable_mmcfg();
-	}
-#endif
-
 	if (c->x86 == 0x10) {
 		/*
 		 * On family 10h BIOS may not have properly enabled WC+

["xsa82-4.2-32bit.patch" (application/octet-stream)]

x86/AMD: work around erratum 793 for 32-bit

The original change went into a 64-bit only code section, thus leaving
the issue unfixed on 32-bit. Re-order code to address this.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>

--- a/xen/arch/x86/cpu/amd.c
+++ b/xen/arch/x86/cpu/amd.c
@@ -522,6 +522,18 @@ static void __devinit init_amd(struct cp
 		       "*** Pass \"allow_unsafe\" if you're trusting"
 		       " all your (PV) guest kernels. ***\n");
 
+	/* AMD CPUs do not support SYSENTER outside of legacy mode. */
+	clear_bit(X86_FEATURE_SEP, c->x86_capability);
+
+	if (c->x86 == 0x10) {
+		/* do this for boot cpu */
+		if (c == &boot_cpu_data)
+			check_enable_amd_mmconf_dmi();
+
+		fam10h_check_enable_mmcfg();
+	}
+#endif
+
 	if (c->x86 == 0x16 && c->x86_model <= 0xf) {
 		if (c == &boot_cpu_data) {
 			l = pci_conf_read32(0, 0, 0x18, 0x3, 0x58);
@@ -555,18 +567,6 @@ static void __devinit init_amd(struct cp
 		}
 	}
 
-	/* AMD CPUs do not support SYSENTER outside of legacy mode. */
-	clear_bit(X86_FEATURE_SEP, c->x86_capability);
-
-	if (c->x86 == 0x10) {
-		/* do this for boot cpu */
-		if (c == &boot_cpu_data)
-			check_enable_amd_mmconf_dmi();
-
-		fam10h_check_enable_mmcfg();
-	}
-#endif
-
 	if (c->x86 == 0x10) {
 		/*
 		 * On family 10h BIOS may not have properly enabled WC+

["xsa82.patch" (application/octet-stream)]

x86/AMD: work around erratum 793

The recommendation is to set a bit in an MSR - do this if the firmware
didn't, considering that otherwise we expose ourselves to a guest
induced DoS.

This is CVE-2013-6885 / XSA-82.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>

--- a/xen/arch/x86/cpu/amd.c
+++ b/xen/arch/x86/cpu/amd.c
@@ -476,6 +476,20 @@ static void __devinit init_amd(struct cp
 		       "*** Pass \"allow_unsafe\" if you're trusting"
 		       " all your (PV) guest kernels. ***\n");
 
+	if (c->x86 == 0x16 && c->x86_model <= 0xf) {
+		rdmsrl(MSR_AMD64_LS_CFG, value);
+		if (!(value & (1 << 15))) {
+			static bool_t warned;
+
+			if (c == &boot_cpu_data || opt_cpu_info ||
+			    !test_and_set_bool(warned))
+				printk(KERN_WARNING
+				       "CPU%u: Applying workaround for erratum 793\n",
+				       smp_processor_id());
+			wrmsrl(MSR_AMD64_LS_CFG, value | (1 << 15));
+		}
+	}
+
 	/* AMD CPUs do not support SYSENTER outside of legacy mode. */
 	clear_bit(X86_FEATURE_SEP, c->x86_capability);
 
--- a/xen/include/asm-x86/msr-index.h
+++ b/xen/include/asm-x86/msr-index.h
@@ -213,6 +213,7 @@
 
 /* AMD64 MSRs */
 #define MSR_AMD64_NB_CFG		0xc001001f
+#define MSR_AMD64_LS_CFG		0xc0011020
 #define MSR_AMD64_IC_CFG		0xc0011021
 #define MSR_AMD64_DC_CFG		0xc0011022
 #define AMD64_NB_CFG_CF8_EXT_ENABLE_BIT	46


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic