FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

xen-kernel -- CR0.TS and CR0.EM not always honored for x86 HVM guests

Affected packages
xen-kernel < 4.7.1

Details

VuXML ID 4d7cf654-ba4d-11e6-ae1b-002590263bf5
Discovery 2016-10-04
Entry 2016-12-04

The Xen Project reports:

Instructions touching FPU, MMX, or XMM registers are required to raise a Device Not Available Exception (#NM) when either CR0.EM or CR0.TS are set. (Their AVX or AVX-512 extensions would consider only CR0.TS.) While during normal operation this is ensured by the hardware, if a guest modifies instructions while the hypervisor is preparing to emulate them, the #NM delivery could be missed.

Guest code in one task may thus (unintentionally or maliciously) read or modify register state belonging to another task in the same VM.

A malicious unprivileged guest user may be able to obtain or corrupt sensitive information (including cryptographic material) in other programs in the same guest.

References

CVE Name CVE-2016-7777
FreeBSD PR ports/214936
URL https://xenbits.xen.org/xsa/advisory-190.html