Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624120 (CVE-2017-10916) - <app-emulation/xen-4.7.3: PKRU and BND* leakage between vCPU-s
Summary: <app-emulation/xen-4.7.3: PKRU and BND* leakage between vCPU-s
Alias: CVE-2017-10916
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: CVE-2017-10920, CVE-2017-10921, CVE-2017-10922
  Show dependency tree
Reported: 2017-07-07 14:56 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-10-15 20:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-07 14:56:40 UTC
From $URL:


Memory Protection Extensions (MPX) and Protection Key (PKU) are features in
newer processors, whose state is intended to be per-thread and context
switched along with all other XSAVE state.

Xen's vCPU context switch code would save and restore the state only
if the guest had set the relevant XSTATE enable bits.  However,
surprisingly, the use of these features is not dependent (PKU) or may
not be dependent (MPX) on having the relevant XSTATE bits enabled.

VMs which use MPX or PKU, and context switch the state manually rather
than via XSAVE, will have the state leak between vCPUs (possibly,
between vCPUs in different guests).  This in turn corrupts state in
the destination vCPU, and hence may lead to weakened protections

Experimentally, MPX appears not to make any interaction with BND*
state if BNDCFGS.EN is set but XCR0.BND{CSR,REGS} are clear.  However,
the SDM is not clear in this case; therefore MPX is included in this
advisory as a precaution.


There is an information leak, of control information mentioning
pointers into guest address space; this may weaken address space
randomisation and make other attacks easier.

When an innocent guest acquires leaked state, it will run with
incorrect protection state.  This could weaken the protection intended
by the MPX or PKU features, making other attacks easier which would
otherwise be excluded; and the incorrect state could also cause a
denial of service by preventing legitimate accesses.


Xen 4.4 and earlier are not vulnerable, as they do not use or expose
MPX or PKU to guests.  Xen 4.5 and later expose MPX to guests.  Xen
4.7 and later expose PKU to guests.  Therefore, Xen 4.5 and later are

Only x86 hardware implementing the MPX or PKU features is vulnerable.
At the time of writing, these are Intel Skylake (and later) processors
for MPX, and Intel Skylake Server (and later) processors for PKU.

ARM hardware is not vulnerable.

The vulnerability is only exposed to HVM guests.  PV guests cannot
exploit the vulnerability.

Vulnerable guest operating systems
- ----------------------------------

Guests which use XSAVE for context switching PKU and MPX state are not
vulnerable to inbound corruption caused by another malicious domain.

With respect to PKU, the remaining outbound information leak is of no
conceivable consequence.  And, experimentally, MPX does not appear to
have a real vulnerability, even though the CPU documentation is not

Therefore we think that these guests (those which use XSAVE) are not

Linux uses XSAVE, so is therefore not vulnerable.


Passing "pku=0" on the hypervisor command line will avoid the PKU
vulnerability (by not advertising the feature to guests).

There is no corresponding option for the probably-theoretical MPX


This issue was discovered by Andrew Cooper of Citrix.


Applying the appropriate attached patch resolves this issue.

xsa220.patch           xen-unstable
xsa220-4.8.patch       Xen 4.8
xsa220-4.7.patch       Xen 4.7
xsa220-4.6.patch       Xen 4.6
xsa220-4.5.patch       Xen 4.5

$ sha256sum xsa220*
8b86d9a284c0b14717467e672e63aebfc2bce201658493a54c64fb7c1863ce49  xsa220.patch
4b53ad5748313fb92c68eac1160b00d1bf7310019657028122a455855334252b  xsa220-4.5.patch
befe5ca5321d903428fc496abeee3a3b5eb0cee27a382e20d3caf8cc7bdfced2  xsa220-4.6.patch
555fa741348909943393aaf73571bc7817b30eafcff73dbfcd73911113db5d7f  xsa220-4.7.patch
7a41ad9c6f9d46536abae051c517456bdfa3564278e98f80222a904df749fb0c  xsa220-4.8.patch


Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Comment 1 Yixun Lan archtester gentoo-dev 2017-07-12 07:30:10 UTC
commit 7a8fc554850ee501e1ad705b4154874adf102947 
Author: Yixun Lan <>             
Date:   Wed Jul 12 15:15:52 2017 +0800          

    app-emulation/xen: security bump            
    fix XSA-217,218,219,220,221,222,223,224,225 
    Gentoo-Bug: 624112,624114,624116,624118,624120,624122,624124,624126,624130                  
    Package-Manager: Portage-2.3.6, Repoman-2.3.2                                               

:100644 100644 6534404116c... 49df2654a33... M  app-emulation/xen/Manifest                      
:000000 100644 00000000000... f66bd1b70f8... A  app-emulation/xen/xen-4.7.3.ebuild              
:000000 100644 00000000000... bf73951bc39... A  app-emulation/xen/xen-4.8.1-r2.ebuild
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-21 04:21:31 UTC
Thank you Yixun Lan

Arches please let us know when all is stable
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-08-20 21:56:08 UTC
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-15 20:10:14 UTC
GLSA Vote: No

Cleanup will occur in another bug.