[XSA-156] x86: CPU lockup during exception delivery
ISSUE DESCRIPTION
When a benign exception occurs while delivering another benign
exception, it is architecturally specified that these would be
delivered sequentially. There are, however, cases where this results in
an infinite loop inside the CPU, which (in the virtualized case) can be
broken only by intercepting delivery of the respective exception.
Architecturally, at least some of these cases should also be
resolvable by an arriving NMI or external interrupt, but empirically
this has been determined to not be the case.
The cases affecting Xen are:
#AC (Alignment Check Exception, CVE-2015-5307): When a 32-bit guest
sets up the IDT entry corresponding to this exception to reference a
ring-3 handler, and when ring 3 code triggers the exception while
running with an unaligned stack pointer, delivering the exception will
re-encounter #AC, ending in an infinite loop.
#DB (Debug Exception, CVE-2015-8104): When a guest sets up a hardware
breakpoint covering a data structure involved in delivering #DB, upon
completion of the delivery of the first exception another #DB will
need to be delivered. The effects slightly differ depending on further
guest characteristics:
- Guests running in 32-bit mode would be expected to sooner or later encounter another fault due to the stack pointer decreasing during each iteration of the loop. The most likely case would be #PF (Page Fault) due to running into unmapped virtual space. However, an infinite loop cannot be excluded (e.g. when the guest is running with paging disabled).
- Guests running in long mode, but not using the IST (Interrupt Stack Table) feature for the IDT entry corresponding to #DB would behave similarly to guests running in 32-bit mode, just that the larger virtual address space allows for a much longer loop. The loop can't, however, be infinite, as eventually the stack pointer would move into non-canonical address space, causing #SS (Stack Fault) instead.
- Guests running in long mode and using IST for the IDT entry corresponding to #DB would enter an infinite loop, as the stack pointer wouldn't change between #DB instances.
IMPACT
A malicious HVM guest administrator can cause a denial of service.
Specifically, prevent use of a physical CPU for a significant, perhaps
indefinite period.
If a host watchdog (Xen or dom0) is in use, this can lead to a
watchdog timeout and consequently a reboot of the host. If another,
innocent, guest, is configured with a watchdog, this issue can lead to
a reboot of such a guest.
It is possible that a guest kernel might expose the #AC vulnerability
to malicious unprivileged guest users (by permitting #AC to be handled
in guest user mode). However, we believe that almost all ordinary
operating system kernels do not permit this; we are not aware of any
exceptions. (A guest kernel which exposed the #AC vulnerability to
guest userspace would be vulnerable when running on baremetal, without
Xen involved.)
VULNERABLE SYSTEMS
The vulnerability is exposed to any x86 HVM guest.
ARM is not vulnerable. x86 PV VMs are not vulnerable.
All versions of Xen are affected.
x86 CPUs from all manufacturers are affected.
| Package | Affected Version |
|---|---|
 pkg:generic/xen
|
= 4.3.x |
|
pkg:generic/xen
|
= 4.4.x |
|
pkg:generic/xen
|
= 4.5.x |
|
pkg:generic/xen
|
= 4.6.x |
- ID
- XSA-156
- Severity
- medium
- Severity from
- CVE-2015-5307
- URL
- http://xenbits.xen.org/xsa/advisory-156.html
- Published
-
2015-11-10T00:01:00
(8 years ago) - Modified
-
2015-11-10T00:01:00
(8 years ago) - Rights
- Xen Project
- Other Advisories
-
-
DSA-3396-1
-
DSA-3414-1
-
DSA-3426-1
-
DSA-3454-1
-
ELSA-2015-2552
-
ELSA-2015-2636
-
ELSA-2015-3107
-
ELSA-2016-3502
-
ELSA-2016-3503
-
FEDORA-2015-115c302856
-
FEDORA-2015-394835a3f6
-
FEDORA-2015-668d213dc3
-
FEDORA-2015-cd94ad8d7c
-
FEDORA-2015-f150b2a8c8
-
FEDORA-2015-f2c534bc12
-
FREEBSD:2CABFBAB-8BFB-11E5-BD18-002590263BF5
-
RHSA-2015:2552
-
RHSA-2015:2636
-
SUSE-SU-2015:2108-1
-
SUSE-SU-2015:2194-1
-
SUSE-SU-2015:2306-1
-
SUSE-SU-2015:2324-1
-
SUSE-SU-2015:2326-1
-
SUSE-SU-2015:2328-1
-
SUSE-SU-2015:2338-1
-
SUSE-SU-2015:2339-1
-
SUSE-SU-2015:2350-1
-
SUSE-SU-2016:0354-1
-
SUSE-SU-2016:2074-1
-
USN-2800-1
-
USN-2801-1
-
USN-2802-1
-
USN-2803-1
-
USN-2804-1
-
USN-2805-1
-
USN-2806-1
-
USN-2807-1
-
USN-2840-1
-
USN-2841-1
-
USN-2841-2
-
USN-2842-1
-
USN-2842-2
-
USN-2843-1
-
USN-2843-2
-
USN-2844-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| Xen Project | XSA-156 | Security Advisory |
|
| Xen Project | XSA-156 | Signed Security Advisory |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:generic/xen | xen | = 4.3.x | ||||
| Affected | pkg:generic/xen | xen | = 4.4.x | ||||
| Affected | pkg:generic/xen | xen | = 4.5.x | ||||
| Affected | pkg:generic/xen | xen | = 4.6.x |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |