-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory XSA-261
x86 vHPET interrupt injection errors
UPDATES IN VERSION 2
Versions 3.1 ... 3.3 don't appear to be vulnerable.
Updated .meta file
The High Precision Event Timer (HPET) can be configured to deliver
interrupts in one of three different modes - through legacy interrupts;
through the IO-APIC; or optionally via a method similar to PCI MSI. The
last mode is optional and not implemented by Xen. However, of the first
two modes, only the legacy variant was properly implemented.
If a guest set up an HPET timer in IO-APIC mode, Xen would still
handle this using the code for the legacy mode. Unfortunately, the
available IO-APIC mode interrupt numbers are higher than legacy mode
interrupts. The result was array overruns.
A malicious or buggy HVM guest may cause a hypervisor crash, resulting
in a Denial of Service (DoS) affecting the entire host. Privilege
escalation, or information leaks, cannot be excluded.
Xen versions 3.4 and later are vulnerable.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only x86 HVM guests can exploit the vulnerability. x86 PV and PVH
guests cannot exploit the vulnerability.
Only x86 HVM guests provided with hypervisor-side HPET emulation can
exploit the vulnerability. That is the default configuration. x86
HVM guests whose configuration explicitly disables this emulation (via
"hpet=0") cannot exploit the vulnerability.
Running only PV or PVH guests avoids the vulnerability.
Not exposing the hypervisor based HPET emulation to HVM guests, by
adding "hpet=0" to the guest configuration, also avoids the
This issue was discovered by Roger Pau Monné of Citrix.
Applying the appropriate attached patch resolves this issue.
xsa261.patch xen-unstable, Xen 4.10.x
xsa261-4.9.patch Xen 4.9.x
xsa261-4.8.patch Xen 4.8.x
xsa261-4.7.patch Xen 4.7.x, Xen 4.6.x
$ sha256sum xsa261*
DEPLOYMENT DURING EMBARGO
Deployment of the patches described above (or others which are
substantially similar) and the PV/PVH guest mitigation are permitted
during the embargo, even on public-facing systems with untrusted guest
users and administrators.
HOWEVER deployment of the "hpet=0" guest config mitigation described
above is NOT permitted (except where all the affected systems and VMs
are administered and used only by organisations which are members of
the Xen Project Security Issues Predisclosure List). Specifically,
deployment on public cloud systems is NOT permitted.
This is because in that case the configuration change is visible to the
guest, which could lead to the rediscovery of the vulnerability.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Xen-announce mailing list
|Free forum by Nabble||Edit this page|