Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509176 (CVE-2014-3125) - <app-emulation/xen-{4.2.4-r2,4.3.2-r2,4.4.0-r2}: Hardware timer context is not properly context switched on ARM (CVE-2014-3125) (XSA-91)
Summary: <app-emulation/xen-{4.2.4-r2,4.3.2-r2,4.4.0-r2}: Hardware timer context is no...
Alias: CVE-2014-3125
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2014-04-30 13:00 UTC by Agostino Sarubbo
Modified: 2014-05-14 12:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-30 13:00:47 UTC
From ${URL} :

                     Xen Security Advisory XSA-91
                               version 2

    Hardware timer context is not properly context switched on ARM


Public release.


When running on an ARM platform Xen was not context switching the
CNTKCTL_EL1 register, which is used by the guest kernel to control
access by userspace processes to the hardware timers. This meant that
any guest can reconfigure these settings for the entire system.


A malicious guest kernel can reconfigure CNTKCTL_EL1 to block
userspace access to the timer hardware for all domains, including
control domains. Depending on the other guest kernels in use this may
cause an unexpected exception in those guests which may lead to a
kernel crash and therefore a denial of service.

64-bit ARM Linux is known to be susceptible to crashing in this way.

A malicious guest kernel can also enable userspace access to the timer
control registers, which may not be expected by kernels running in
other domains. This can allow user processes to reprogram timer
interrupts and therefore lead to unexpected behaviour, potentially up
to and including crashing the guest. Userspace processes will also be
able to read the current timestamp value for the domain perhaps
leaking information to those processes.


Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onwards.

x86 systems are not vulnerable.




Chen Baozi discovered this issue as a bug which was then diagnosed by
Julien Grall.


Applying the appropriate attached patch resolves this issue.

xsa91-unstable.patch                  xen-unstable
xsa91-4.4.patch                       Xen 4.4.x

@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Yixun Lan gentoo-dev 2014-05-10 00:07:20 UTC
bug fixed in versions, and only ARCH=arm affected, (see comments in bug 509054 for more details)
xen-4.4.0-r2 xen-4.3.2-r2 xen-4.2.4-r2