-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0587
               Xen Security Advisory CVE-2014-2915 / XSA-93
                               24 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  Xen
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-2915  

Original Bulletin: 
   http://xenbits.xenproject.org/xsa/advisory-93.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2014-2915 / XSA-93
                              version 2

      Hardware features unintentionally exposed to guests on ARM

UPDATES IN VERSION 2
====================

This issue has been assigned CVE-2014-2915.

ISSUE DESCRIPTION
=================

When running on an ARM platform Xen was not correctly configuring the
hardware virtualisation platform and therefore did not prevent guests
from accessing various hardware features including cache control,
coprocessors, debug registers and various processor specific
registers.

IMPACT
======

By accessing these hardware facilities a malicious or buggy guest may
be able to cause various issues, including crashing the host, crashing
other guests (including control domains) and data corruption.

Privilege escalation is not thought to be possible but has not been
ruled out.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onwards.

x86 systems are not vulnerable.

MITIGATION
==========

None.

NOTE REGARDING LACK OF EMBARGO
==============================

This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem.  The public mailing list thread
contains information strongly suggestive of a security bug and
included example code which can crash the host.

CREDITS
=======

The initial bug was discovered by Thomas Leonard and further followup
issues were discovered by Julien Grall.

RESOLUTION
==========

Applying the attached patches resolves this issue.

xsa93-unstable-{01..06}.patch        xen-unstable
xsa93-4.4-{01..06}.patch             Xen 4.4.x

$ sha256sum xsa93*.patch
9a01ed1c7d33d2381594af3b0985df50f3aa7f13f5a9989595427407c5a5eb06  xsa93-4.4-01.patch
68ec2bdb48dd232dbabefbe7c971546b52d7001a128471226a41f36e27a806f2  xsa93-4.4-02.patch
541d2d57ee85a9603ae4bf00bb321f6f491354df9e15eb09ddb5ccba68333ecc  xsa93-4.4-03.patch
6a3736e5dea1d45df6b979f02e06e058d8dffdbcf128d2d0984db404a87ebb62  xsa93-4.4-04.patch
282e2cf82ad4345573d21351c242684cd09f384bcd76c262740f9e33f8b04c9c  xsa93-4.4-05.patch
e212ad288eaeccf6a33cab27ecc6515a889365b0c56b5010e91a603ce239a38b  xsa93-4.4-06.patch
9a01ed1c7d33d2381594af3b0985df50f3aa7f13f5a9989595427407c5a5eb06  xsa93-unstable-01.patch
9b472975087dee1d22db8e5f3e55b1589910d84de86b2cad218bfd540fbbd92e  xsa93-unstable-02.patch
f921ba7c1b216dd425035f94ac9eef9374ae5eba4af4cb5a3b7aa3f958a0a767  xsa93-unstable-03.patch
45b7e6b226a4449370c4dbe21aa71c398955e4ed2bc7cf9e4426f29583af14be  xsa93-unstable-04.patch
282e2cf82ad4345573d21351c242684cd09f384bcd76c262740f9e33f8b04c9c  xsa93-unstable-05.patch
e2668f0ecf1e79aa30928791b92a15c15821c8bce7958a5c3fee7563cf81960b  xsa93-unstable-06.patch
$

NOTE: These patches unconditionally deny access by all guests
(including control domains) to various hardware features in order to
close the vulnerability. Specifically guests are prevented from
accessing:

  * coprocessors 0..9, 12 and 13;
  * coprocessor 14 (trace registers);
  * coprocessor 15 encodings:
      CRn==c9, opc1=={0-7}, CRm=={c0-c2, c5-c8}, opc2=={0-7},
      CRn==c10, opc1=={0-7}, CRm=={c0, c1, c4, c8}, opc2=={0-7}
      CRn==c11, opc1=={0-7}, CRm=={c0-c8, c15}, opc2=={0-7}
    (IMPLEMENTATION DEFINED cache, TCM, branch predictor, memory
     remapping, and TLB control registers);
  * cp15 c15 (IMPLEMENTATION DEFINED);
  * Debug and Performance monitor registers.

We have checked common Operating Systems which are known to run on Xen
on ARM and not found any default uses of these registers. However it
is expected that tools such as the Linux perf tool which make use of
debug and performance registers will no longer function correctly in
guest context. In addition if your use case requires access to
specific coprocessors by one or more guest domains then additional
local patches may be required to enable this.

Where feasible we hope to reenable these use cases in the future. If
this affects you then please contact the xen-devel mailing list
http://lists.xen.org/mailman/listinfo/xen-devel.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTV5O6AAoJEIP+FMlX6CvZt7MH+wYxthL+nxagERvLrXQdXlF6
XYctN9gb5iEGwKLI4MLuVYdMqXIa2NfTvTEHfwNyWEp6sS/+nc2V0h8qAqDdhdtO
cNuxV2zK7Ab328SkNVy17y6j0Jgyen0QrOGBwTaNb5CXUHkg3J+YppObvGlTqjDi
HoXeX7Whv4CSqOjgua189e9uNzKtBNsZZepqerli1/tIazWSuOT8KIHp92NKAbLv
hwm9HUS7gN2JmR8wU3DD3DxJp+bfTDXBCKOvGmYILxN+X0pzAtfDgK+RMOBwSD05
iJ3rcs83VR6ITRqdI+hRifesSiS6Yi7OFi3xB2vAdSm6IjsA06pARYPCIPGCQh0=
=Nnq0
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIUAwUBU1hcPRLndAQH1ShLAQKsFA/4itBukYz1T/pbnGauuwR374lPgrLw4rri
Ogl8ZWAWIL8cpglrsFzEcaPXw+lBsRT0SAIW1TeXPRUPoTKgxAu447JHvvltimW6
5mnfTQOI2OxrYFB7A5H/kPWa37xoAWHqvN2kwYXhF5scxqCLRFN4lK6qqusDcfn0
WgGp5Mt1GEpKkER4UWLmsDJkjYwHXONS++fG64SubL6XGoUct7loSdORnPQ/DuI1
QFHpu1s3IuhKxVZZqfhiTrsmHoPlLS2aVVBPVL1AATq4jEkmKQJ6ot5cmoxCRLGR
vecW1X0H7EiEH4kkecaIQfm1irvskCGbZMnIVjRlQudI56e1xpJiVj9jr+8k242O
uhDgR8l8L+g1p0CRd7fbgDYMhejmRYxaZwAaXnJtZfD7uSnNi5nIcDXW5mo8om6C
qHOsj7rRBQ9M1pztWpdsKsD4hZ26b5jg2sqRXaLYn1qB9Nu0h8v/Ajq/u8gttNB4
KNtth59Sw2G1yct541/vvQ7Bmkt5CO04cPJLV0fWq6cs2crPEqfk4On811rGvJbq
umlNjjQeCi3UwJDyXEIw9rwjMu8niTGjyINw6BGYPGF6oQ4uO8B8bziBCUQ34eKD
vFhIHX6eVGy7wX4q3qwh2z5pXXBg/NoJPyvy8yazGzQpDE+x6woGFJKUvFzKIPZ2
Ba9SEM3nLQ==
=w7mB
-----END PGP SIGNATURE-----