PV guest host Denial of Service

A Xen user has discovered that some older AMD CPUs can be made to lock up due to AMD processor erratum #121.

This issue was discovered during testing of the fix for XSA-7 (CVE-2012-0217). Although the two issues are unrelated the situations which can trigger them may overlap.

improper error handling (no handler)



x86-64: detect processors subject to AMD erratum #121 and refuse to boot

Processors with this erratum are subject to a DoS attack by unprivileged guest users.

 --- a/xen/arch/x86/cpu/amd.c   Tue Jun 12 11:46:11 2012 +0100
 +++ b/xen/arch/x86/cpu/amd.c   Tue Jun 12 11:42:57 2012 +0100
 @@ -32,6 +32,9 @@
  static char opt_famrev[14];
  string_param("cpuid_mask_cpu", opt_famrev);
 +static int opt_allow_unsafe;
 +boolean_param("allow_unsafe", opt_allow_unsafe);
  static inline void wrmsr_amd(unsigned int index, unsigned int lo, 
        unsigned int hi)
 @@ -620,6 +623,11 @@ static void __devinit init_amd(struct cp
        clear_bit(X86_FEATURE_MCE, c->x86_capability);
  #ifdef __x86_64__
 +  if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
 +      panic("Xen will not boot on this CPU for security reasons.\n"
 +            "Pass \"allow_unsafe\" if you're trusting all your"
 +            " (PV) guest kernels.\n");
    /* AMD CPUs do not support SYSENTER outside of legacy mode. */
    clear_bit(X86_FEATURE_SEP, c->x86_capability);
 --- a/xen/include/asm-x86/amd.hn 12 11:46:11 2012 +0100
 +++ b/xen/include/asm-x86/amd.hn 12 11:42:57 2012 +0100
 @@ -127,6 +127,9 @@
  #define AMD_MODEL_RANGE_START(range)    (((range) >> 12) & 0xfff)
  #define AMD_MODEL_RANGE_END(range)      ((range) & 0xfff)
 +#define AMD_ERRATUM_121                                                 \
 +    AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf))
  #define AMD_ERRATUM_170                                                 \
      AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf))


A guest user or administrator of a 64 bit PV guest on a vulnerable system can cause the processor to lock up, leading to a Denial of Service attack against the host.