-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2018-3665 / XSA-267
Speculative register leakage from lazy FPU context switching
UPDATES IN VERSION 3
x86 has a hardware mechanism for lazy FPU context switching. On a task
switch, %cr0.ts (Task Switched) gets set, and the next instruction to
touch floating point state raises an #NM (No Math, later known as Device
Not Available) exception.
Traditionally, FPU state has been large in comparison to available
bandwidth (and therefore slow to switch) and not used as frequently as
cpu tasks tend to switch. This mechanism allows the OS to only switch
FPU when necessary, which in turn increases performance.
Some CPUs however speculate past an #NM exception, allowing register
content to be leaked by a side-channel.
For more details, see:
An attacker can read x87/MMX/SSE/AVX/AVX-512 register state belonging to
another vCPU previously scheduled on the same processor. This can be
state belonging a different guest, or state belonging to a different
thread inside the same guest.
Furthermore, similar changes are expected for OS kernels. Consult your
operating system provider for more information.
Systems running all versions of Xen are affected.
Only x86 processors are vulnerable. ARM processors are not known to be
Only Intel Core based processors (from at least Nehalem onwards) are
potentially affected. Other processor designs (Intel Atom/Knights
range), and other manufacturers (AMD) are not known to be affected.
Depending on the availability of host resources, leakage can be
prevented between VMs by using cpupools or cpu pinning to isolate the
vCPUs from different VMs to separate pCPUs.
This issue was discovered by Julian Stecklina ([hidden email]) from
Amazon and Thomas Prescher ([hidden email]) from
It was also independenty discovered by Zdenek Sojka from SYSGO
(http://sysgo.com) and by Colin Percival.
Applying the appropriate attached patch resolves this issue.
xsa267-4.10-.patch Xen 4.10.x
xsa267-4.9-.patch Xen 4.9.x, 4.8.x
xsa267-4.7-.patch Xen 4.7.x
xsa267-4.6-.patch Xen 4.6.x
Alternatively, the following patches can be used to create livepatches for
xsa267-livepatch.patch xen-unstable, Xen 4.10.x, 4.9.x
xsa267-4.8-livepatch.patch Xen 4.8.x
$ sha256sum xsa267*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
Xen-users mailing list
xsa267-1.patch (2K) Download Attachment
xsa267-2.patch (11K) Download Attachment
xsa267-4.6-1.patch (2K) Download Attachment
xsa267-4.6-2.patch (11K) Download Attachment
xsa267-4.7-1.patch (2K) Download Attachment
xsa267-4.7-2.patch (11K) Download Attachment
xsa267-4.8-livepatch.patch (5K) Download Attachment
xsa267-4.9-1.patch (2K) Download Attachment
xsa267-4.9-2.patch (11K) Download Attachment
xsa267-4.10-1.patch (2K) Download Attachment
xsa267-4.10-2.patch (11K) Download Attachment
xsa267-livepatch.patch (5K) Download Attachment
|Free forum by Nabble||Edit this page|