'[oss-security] Xen Security Advisory 163 - virtual PMU is unsupported'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Xen Security Advisory 163 - virtual PMU is unsupported
From:       Xen.org security team <security () xen ! org>
Date:       2015-11-24 17:13:34
Message-ID: E1a1H9q-0000wL-6j () xenbits ! xen ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-163

                      virtual PMU is unsupported

ISSUE DESCRIPTION
=================

The Virtual Performance Measurement Unit feature has been documented
as unsupported, so far only on Intel CPUs.  Further issues have been
found or are suspected which would also (or exclusively) affect AMD
CPUs.  We believe that the functionality is mostly intended for
non-production use anyway.  Therefore this functionality is hereby
documented as generally unsupported security-wise.

IMPACT
======

Use of the feature may have unknown effects, ranging from information
leaks through Denial of Service to privilege escalation.

VULNERABLE SYSTEMS
==================

Only systems which enable the VPMU feature are affected.  That is,
only systems with a `vpmu' setting on the hypervisor command line.

Xen versions from 3.3 onwards are affected.

Only x86 systems are affected.  ARM systems do not currently implement
vPMU and are therefore currently unaffected; should this functionality
be added to ARM in the future it would be covered by this exclusion.

In Xen versions prior to 4.6 only HVM guests can take advantage of
this unsupported functionality.  In Xen versions from 4.6 onwards all
guest kinds can use this unsupported functionality.

MITIGATION
==========

Not enabling vPMU support (by omitting the "vpmu" hypervisor command
line option) will avoid using and exposing the unsupported
functionality.

RESOLUTION
==========

Applying the attached patch documents the situation.  The patch does
not fix any security issues.

xsa163.patch           xen-unstable

$ sha256sum xsa163*
b9185a45a41f31e7c2f85b79a669b8b1dbf00c6b40a79b00c779b344ccab45b7  xsa163.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWVJqRAAoJEIP+FMlX6CvZba8H/23BreIs2Gxkh+9Jty8EEMdp
nk3hSpEgxIb101XsbZ4JNwMO8QqBoTi1Bt0+k4bnjdRsU1G/vImacaN9LlefmLJc
jn3n4Ce9ODGQvCEp1LPwWQusduFhMUIaUK6cwB2LclYxUnxCgUpLBFReOp9QIbgZ
Bv+rrw9gcNb8zUKT53FZ7bOApRoU28rSFX1XE72ELPDdGbpTVXxlvQZtKsQY7N7O
Se1COml0MDhufWRf3SNxO2MmqZsg43fsjvJaJgGoXE+4gslcLBMjiwgoUDX2k9CG
Pi4M5uLNLxXJZkgbo1qi8ueQB9yck6tMg+o6f3wDFz28SFfu8/D2szXGOblpE5w=
=2Wqz
-----END PGP SIGNATURE-----

["xsa163.patch" (application/octet-stream)]

x86/vPMU: document as unsupported

This is XSA-163.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
Note that the referenced link will only become active after public
disclosure.

--- a/docs/misc/xen-command-line.markdown
+++ b/docs/misc/xen-command-line.markdown
@@ -1482,8 +1482,9 @@ feature is switched on on Intel processo
 Note that if **watchdog** option is also specified vpmu will be turned off.
 
 *Warning:*
-As the BTS virtualisation is not 100% safe and because of the nehalem quirk
-don't use the vpmu flag on production systems with Intel cpus!
+As the virtualisation is not 100% safe, don't use the vpmu flag on
+production systems (see Xen Security Advisory 163,
+http://xenbits.xen.org/xsa/advisory-163.html)!
 
 ### watchdog
 > `= force | <boolean>`


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic