Xen ProjectXSA-44Xen PV DoS vulnerability with SYSENTER
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
26.0%
ISSUE DESCRIPTION
The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn’t get cleared. If the hypervisor subsequently uses IRET to return to the guest (which it will always do if the guest is a 32-bit one), that instruction will cause a #GP fault to be raised, but the recovery code in the hypervisor will again try to use IRET without intermediately clearing the NT flag. The #GP fault raised on this second IRET is a fatal event, causing the hypervisor to crash.
IMPACT
Malicious or buggy unprivileged user space can cause the entire host to crash.
VULNERABLE SYSTEMS
All 64-bit Xen versions from 3.1 onwards running on Intel CPUs are vulnerable. 32-bit Xen is not affected, as it doesn’t permit the use of SYSENTER by PV guests. 64-bit Xen run on AMD CPUs isn’t affected since AMD CPUs don’t allow the use of SYSENTER in long mode.
The vulnerability is only exposed by PV guests.
Related
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
26.0%