WITHDRAWN: missing XSETBV intercept privilege check on AMD SVM

2015-11-25T15:29:00
ID XSA-161
Type xen
Reporter Xen Project
Modified 2015-11-25T15:29:00

Description

ISSUE DESCRIPTION

NOTE: This advisory has been withdrawn XSETBV is a privileged instruction, i.e. should result in #GP when issued by code running at other than the most privileged level (CPL 0). Unlike other privileged and intercepted instructions in AMD SVM, XSETBV has the privilege level check done after the intercept check, resulting in the need for software to do the checking instead. This software check was missing.

IMPACT

NOTE: This advisory has been withdrawn User mode code of HVM guests running on AVX-capable AMD hardware may effect changes to the set of enabled AVX sub-features in the guest, potentially confusing the guest kernel, likely resulting in crash and hence a Denial of Service to the guest. Other attacks, namely privilege escalation (again inside the guest only), cannot be ruled out.

VULNERABLE SYSTEMS

NOTE: This advisory has been withdrawn, no versions are vulnerable Xen versions from 4.1 onwards are affected. Only x86 AMD systems supporting AVX are affected. Intel systems as well as ARM ones are unaffected. Only HVM guest user mode code can leverage this vulnerability.