CVE-2012-2934
PV guest host Denial of Service
A Xen user has discovered that some older AMD CPUs can be made to lock up due to AMD processor erratum #121.
This issue was discovered during testing of the fix for XSA-7 (CVE-2012-0217). Although the two issues are unrelated the situations which can trigger them may overlap.
improper error handling (no handler)
http://xenbits.xen.org/hg/xen-4.1-testing.hg/rev/a9c0a89c08f2
x86-64: detect processors subject to AMD erratum #121 and refuse to boot
Processors with this erratum are subject to a DoS attack by unprivileged guest users.
--- a/xen/arch/x86/cpu/amd.c Tue Jun 12 11:46:11 2012 +0100
+++ b/xen/arch/x86/cpu/amd.c Tue Jun 12 11:42:57 2012 +0100
@@ -32,6 +32,9 @@
static char opt_famrev[14];
string_param("cpuid_mask_cpu", opt_famrev);
+static int opt_allow_unsafe;
+boolean_param("allow_unsafe", opt_allow_unsafe);
+
static inline void wrmsr_amd(unsigned int index, unsigned int lo,
unsigned int hi)
{
@@ -620,6 +623,11 @@ static void __devinit init_amd(struct cp
clear_bit(X86_FEATURE_MCE, c->x86_capability);
#ifdef __x86_64__
+ if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
+ panic("Xen will not boot on this CPU for security reasons.\n"
+ "Pass \"allow_unsafe\" if you're trusting all your"
+ " (PV) guest kernels.\n");
+
/* AMD CPUs do not support SYSENTER outside of legacy mode. */
clear_bit(X86_FEATURE_SEP, c->x86_capability);
--- a/xen/include/asm-x86/amd.hn 12 11:46:11 2012 +0100
+++ b/xen/include/asm-x86/amd.hn 12 11:42:57 2012 +0100
@@ -127,6 +127,9 @@
#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff)
#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff)
+#define AMD_ERRATUM_121 \
+ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf))
+
#define AMD_ERRATUM_170 \
AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf))
A guest user or administrator of a 64 bit PV guest on a vulnerable system can cause the processor to lock up, leading to a Denial of Service attack against the host.
DoS