Hardware timer context is not properly context switched on ARM

Type xen
Reporter Xen Project
Modified 2014-05-01T10:52:00



When running on an ARM platform Xen was not context switching the CNTKCTL_EL1 register, which is used by the guest kernel to control access by userspace processes to the hardware timers. This meant that any guest can reconfigure these settings for the entire system.


A malicious guest kernel can reconfigure CNTKCTL_EL1 to block userspace access to the timer hardware for all domains, including control domains. Depending on the other guest kernels in use this may cause an unexpected exception in those guests which may lead to a kernel crash and therefore a denial of service. 64-bit ARM Linux is known to be susceptible to crashing in this way. A malicious guest kernel can also enable userspace access to the timer control registers, which may not be expected by kernels running in other domains. This can allow user processes to reprogram timer interrupts and therefore lead to unexpected behaviour, potentially up to and including crashing the guest. Userspace processes will also be able to read the current timestamp value for the domain perhaps leaking information to those processes.


Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onwards. x86 systems are not vulnerable.