Bug 1000106 - (CVE-2016-7777) VUL-0: CVE-2016-7777: xen: CR0.TS and CR0.EM not always honored for x86 HVM guests (XSA-190)
(CVE-2016-7777)
VUL-0: CVE-2016-7777: xen: CR0.TS and CR0.EM not always honored for x86 HVM g...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-7777:4.9:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-21 08:18 UTC by Alexander Bergmann
Modified: 2021-01-22 08:51 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
XTF test (9.30 KB, patch)
2016-10-06 08:11 UTC, Johannes Segitz
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Swamp Workflow Management 2016-09-21 22:00:25 UTC
bugbot adjusting priority
Comment 9 Alexander Bergmann 2016-10-04 12:56:36 UTC
Public release.

            Xen Security Advisory CVE-2016-7777 / XSA-190
                              version 5

        CR0.TS and CR0.EM not always honored for x86 HVM guests

UPDATES IN VERSION 5
====================

Public release.

ISSUE DESCRIPTION
=================

Instructions touching FPU, MMX, or XMM registers are required to raise
a Device Not Available Exception (#NM) when either CR0.EM or CR0.TS are
set.  (Their AVX or AVX-512 extensions would consider only CR0.TS.)
While during normal operation this is ensured by the hardware, if a
guest modifies instructions while the hypervisor is preparing to
emulate them, the #NM delivery could be missed.

Guest code in one task may thus (unintentionally or maliciously) read
or modify register state belonging to another task in the same VM.

IMPACT
======

A malicious unprivileged guest user may be able to obtain or corrupt
sensitive information (including cryptographic material) in other
programs in the same guest.

VULNERABLE SYSTEMS
==================

All versions of Xen expose the vulnerabilty to their x86 HVM guests.

In order to exploit the vulnerability, the attacker needs to be able to
trigger the Xen instruction emulator.

On Xen 4.7 the emulator can only be triggered: by user mode tasks which
have been given access to memory-mapped IO; in guests which have been
migrated between systems with CPUs from different vendors; or in guests
which have been configured with a CPU vendor different from the host's.

On Xen 4.6 and earlier, all HVM guests can trigger the emulator by
attempting to execute an invalid opcode, exposing the vulnerability.

The vulnerability is only exposed to x86 HVM guests.

The vulnerability is not exposed to x86 PV or ARM guests.

MITIGATION
==========

On Xen 4.7, not migrating across CPU vendors will avoid this
vulnerability.  (Unless the guest grants mmio access to unprivileged
tasks, or has been configured with a specific CPU vendor, eg using the
xl "cpuid" configuraton option.)

CREDITS
=======

This issue was discovered by Jan Beulich from SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa190.patch           xen-unstable, Xen 4.7.x
xsa190-4.6.patch       Xen 4.6.x
xsa190-4.5.patch       Xen 4.5.x, Xen 4.4.x

$ sha256sum xsa190*
21e7b1d08874527ab2e4cd23d467e9945afcd753dd3390ab2aaf9d24d231916c  xsa190.patch
477d56c41cc2101432459ab79e4d5663aade779c36285f5c1d6d6ed4e34e1009  xsa190-4.5.patch
dbfc4b36132c841959847dfbb85a188ee6489ad3b8d7ecec43c55a303a43df21  xsa190-4.6.patch
$
Comment 10 Johannes Segitz 2016-10-06 08:11:53 UTC
Created attachment 696113 [details]
XTF test

From: Andrew Cooper

I am sharing this in case it is useful to anyone.  Anyone wishing to
verify the correct backport of XSA-190 may find the attached XTF test
helpful.

For versions of Xen with hvm_fep available, the test fully probes both
hardware and the x86 emulator for expected behaviour (as described in
the Intel/AMD manuals).

For versions of Xen older than 4.7, the test can still still spot
several unpatched cases, when the regular hardware tests end up entering
the x86 emulator anyway.

The default older unpatched logs look something like:

(d1) [   42.941628] --- Xen Test Framework ---
(d1) [   42.941760] Environment: HVM 64bit (Long mode 4 levels)
(d1) [   42.941861] FPU Exception Emulation:
(d1) [   42.941964] Testing x87
(d1) [   42.942061] Testing x87 wait
(d1) [   42.942148] Testing MMX
(d1) [   42.942246]   Expected #UD, got none (cr0: EM)
(d1) [   42.942339]   Expected #UD, got none (cr0: EM TS)
(d1) [   42.942432]   Expected #UD, got none (cr0: EM MP)
(d1) [   42.942532]   Expected #UD, got none (cr0: EM MP TS)
(d1) [   42.942617] Testing SSE
(d1) [   42.942730] Testing SSE (CR4.OSFXSR)
(d1) [   43.128144] FEP support not detected - some tests will be skipped
(d1) [   43.128144] Test result: FAILURE

whereas a fully patched version looks like:

(d11) [ 3471.728730] --- Xen Test Framework ---
(d11) [ 3471.728850] Environment: HVM 64bit (Long mode 4 levels)
(d11) [ 3471.728953] FPU Exception Emulation:
(d11) [ 3471.729033] Testing x87
(d11) [ 3471.729120] Testing x87 wait
(d11) [ 3471.729202] Testing MMX
(d11) [ 3471.729283] Testing SSE
(d11) [ 3471.729377] Testing SSE (CR4.OSFXSR)
(d11) [ 3471.729467] FEP support not detected - some tests will be skipped
(d11) [ 3471.729544] Test result: SKIP

or

(d1) [   42.941628] --- Xen Test Framework ---
(d1) [   42.941760] Environment: HVM 64bit (Long mode 4 levels)
(d1) [   42.941861] FPU Exception Emulation:
(d1) [   42.941964] Testing x87
(d1) [   42.942061] Testing x87 wait
(d1) [   42.942148] Testing MMX
(d1) [   42.942617] Testing SSE
(d1) [   42.942730] Testing SSE (CR4.OSFXSR)
(d1) [   42.942830] Testing emulated x87
(d1) [   42.943495] Testing emulated x87 wait
(d1) [   42.943773] Testing emulated MMX
(d1) [   42.944394] Testing emulated SSE
(d1) [   42.944504] Testing emulated SSE (CR4.OSFXSR)
(d1) [   43.128144] Test result: SUCCESS

depending on whether FEP is available or not.

For further information about XTF, read http://xenbits.xen.org/docs/xtf/
or ask (and I will see about improving the docs).
Comment 11 Charles Arnold 2016-11-30 16:04:26 UTC
Submissions:
============
SUSE:SLE-12-SP2:Update: 124867
SUSE:SLE-12-SP1:Update: 124868
SUSE:SLE-12:Update: 124869
SUSE:SLE-11-SP4:Update: 124870
SUSE:SLE-11-SP3:Update: 124871
SUSE:SLE-11-SP2:Update: 124872
SUSE:SLE-11-SP1:Update: 124873
SUSE:SLE-11-SP1:Update:Teradata: 124981
Comment 12 Swamp Workflow Management 2016-12-02 11:18:48 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-12-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63247
Comment 13 Swamp Workflow Management 2016-12-07 19:07:51 UTC
SUSE-SU-2016:3044-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1000893,1003030,1003032,1005004,1005005,1007157,1009100,1009103,1009107,1009109,1009111,1011652,990843
CVE References: CVE-2016-6351,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-32.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    xen-4.1.6_08-32.1
Comment 14 Swamp Workflow Management 2016-12-09 17:07:36 UTC
SUSE-SU-2016:3067-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1004981,1005004,1005005,1007157,1007941,1009100,1009103,1009104,1009105,1009107,1009108,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8910,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9384,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xen-4.7.1_02-25.1
SUSE Linux Enterprise Server 12-SP2 (src):    xen-4.7.1_02-25.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xen-4.7.1_02-25.1
Comment 15 Swamp Workflow Management 2016-12-12 12:08:10 UTC
SUSE-SU-2016:3083-1: An update that fixes 19 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1003870,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009108,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-7995,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.5_02-22.3.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.5_02-22.3.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.5_02-22.3.1
Comment 16 Swamp Workflow Management 2016-12-14 00:19:02 UTC
openSUSE-SU-2016:3134-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1004981,1005004,1005005,1007157,1007941,1009100,1009103,1009104,1009105,1009107,1009108,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8910,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9384,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
openSUSE Leap 42.2 (src):    xen-4.7.1_02-3.1
Comment 17 Swamp Workflow Management 2016-12-14 17:08:05 UTC
SUSE-SU-2016:3156-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1003030,1003032,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009109,1009111,1011652,953518
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_05-22.25.1
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_05-22.25.1
Comment 18 Swamp Workflow Management 2016-12-16 15:07:54 UTC
SUSE-SU-2016:3174-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1000893,1003030,1003032,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_10-43.5
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_10-43.5
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_10-43.5
Comment 19 Marcus Meissner 2016-12-22 11:02:17 UTC
released
Comment 20 Swamp Workflow Management 2016-12-27 16:11:10 UTC
SUSE-SU-2016:3273-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1000893,1003030,1003032,1005004,1005005,1007157,1007160,1009100,1009103,1009107,1009109,1009111,1011652
CVE References: CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9386,CVE-2016-9637
Sources used:
SUSE OpenStack Cloud 5 (src):    xen-4.2.5_21-30.1
SUSE Manager Proxy 2.1 (src):    xen-4.2.5_21-30.1
SUSE Manager 2.1 (src):    xen-4.2.5_21-30.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-30.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-30.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xen-4.2.5_21-30.1
Comment 21 Swamp Workflow Management 2017-01-02 12:08:16 UTC
openSUSE-SU-2017:0007-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 1000106,1002496,1003030,1003032,1003870,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009108,1009109,1009111,1011652,1012651,1013657,1013668,1014298,1016340
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-7995,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9101,CVE-2016-9377,CVE-2016-9378,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637,CVE-2016-9776,CVE-2016-9932
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.5_06-18.1
Comment 22 Swamp Workflow Management 2017-01-02 12:12:31 UTC
openSUSE-SU-2017:0008-1: An update that solves 19 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1000106,1000195,1002496,1003030,1003032,1004016,1005004,1005005,1007157,1007160,1009100,1009103,1009104,1009107,1009109,1009111,1011652,1012651,1014298,1016340,953518
CVE References: CVE-2016-10013,CVE-2016-10024,CVE-2016-7777,CVE-2016-7908,CVE-2016-7909,CVE-2016-8576,CVE-2016-8667,CVE-2016-8669,CVE-2016-8909,CVE-2016-8910,CVE-2016-9379,CVE-2016-9380,CVE-2016-9381,CVE-2016-9382,CVE-2016-9383,CVE-2016-9385,CVE-2016-9386,CVE-2016-9637,CVE-2016-9932
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_06-58.1