Lucene search

Xen ProjectXSA-444

HistoryOct 10, 2023 - 12:00 p.m.

x86/AMD: Debug Mask handling

2023-10-1012:00:00

Xen Project

xenbits.xen.org

amd

x86

debug mask

handling

issue

denial of service

vulnerability

xen

cpu

guest

hvm

kernel

hardware

dbext

microarchitecture

xen 4.5

xen 4.13

xen 4.14

CVSS2

4.7

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:N/I:N/A:C

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

42.0%

JSON

ISSUE DESCRIPTION

AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions.
Unfortunately there are errors in Xen’s handling of the guest state, leading to denials of service.

CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state.
CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely.

IMPACT

For CVE-2023-34327, any guest (PV or HVM) using Debug Masks normally for it’s own purposes can cause incorrect behaviour in an unrelated HVM vCPU, most likely resulting in a guest crash.
For CVE-2023-34328, a buggy or malicious PV guest kernel can lock up the host.

VULNERABLE SYSTEMS

Only AMD/Hygon hardware supporting the DBEXT feature are vulnerable. This is believed to be the Steamroller microarchitecture and later.
For CVE-2023-34327, Xen versions 4.5 and later are vulnerable.
For CVE-2023-34328, Xen version between 4.5 and 4.13 are vulnerable. The issue is benign in Xen 4.14 and later owing to an unrelated change.