[kernel-xen] Xen Security Advisory 62 (CVE-2013-1442) - Information leak on AVX and/or LWP capable CPUs

Steven Haigh netwiz at crc.id.au
Wed Sep 25 18:53:00 EST 2013

Hi all,

This has just been released by the Xen Security Team.

As yet, I am not releasing a fix to this as a seperate release as there
is another 2 XSA's that are currently under embargo due to be released
on 2013-09-30.

I am currently testing packages with XSA62, XSA63 and XSA66 patched and
will released them when the embargo ends.

For the moment, using the steps in MITIGATION will stop this from being

            Xen Security Advisory CVE-2013-1442 / XSA-62
                              version 2

            Information leak on AVX and/or LWP capable CPUs


Public release.


When a guest increases the set of extended state components for a vCPU
restored via XSAVE/XRSTOR (to date this can only be the upper halves of YMM
registers, or AMD's LWP state) after already having touched other extended
registers restored via XRSTOR (e.g. floating point or XMM ones) during its
current scheduled CPU quantum, the hypervisor would make those registers
accessible without discarding the values an earlier scheduled vCPU may have
left in them.


A malicious domain may be able to leverage this to obtain sensitive
such as cryptographic keys from another domain.


Xen 4.0 and onwards are vulnerable when run on systems with processors
supporting AVX and/or LWP.  Any kind of guest can exploit the vulnerability.

In Xen 4.0.2 through 4.0.4 as well as in Xen 4.1.x XSAVE support is
disabled by
default; therefore systems running these versions are not vulnerable unless
support is explicitly enabled using the "xsave" hypervisor command line

Systems using processors supporting neither AVX nor LWP are not vulnerable.

Xen 3.x and earlier are not vulnerable.


Turning off XSAVE support via the "no-xsave" hypervisor command line option
will avoid the vulnerability.


Jan Beulich discovered this issue.


Applying the attached patch resolves this issue.

xsa62.patch                 Xen 4.2.x, 4.3.x, and unstable
xsa62-4.1.patch             Xen 4.1.x

$ sha256sum xsa62*.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xsa62-4.1.patch
Type: application/octet-stream
Size: 1396 bytes
Desc: not available
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20130925/86f95b35/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xsa62.patch
Type: application/octet-stream
Size: 1350 bytes
Desc: not available
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20130925/86f95b35/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20130925/86f95b35/attachment.sig>

More information about the kernel-xen mailing list