Vigil@nce - Xen, KVM: infinite loop of x86 Alignment Check Exception
November 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is administrator in a guest system, can generate
an infinite loop with an Alignment Check Exception on Xen/KVM, in
order to trigger a denial of service on the host system.
Impacted products: XenServer, Debian, Fedora, Linux, Ubuntu, Xen.
Severity: 1/4.
Creation date: 10/11/2015.
DESCRIPTION OF THE VULNERABILITY
On an x86 processor, when an exception occurs, while another
exception is in progress, the second has to be managed
sequentially. The Xen/KVM product implements workarounds to forbid
infinite loops in this case.
However, when an AC (Alignment Check) exception occurs with a
Ring-3 Handler and an unaligned stack pointer, this case is not
managed.
An attacker, who is administrator in a guest system, can therefore
generate an infinite loop with an Alignment Check Exception on
Xen/KVM, in order to trigger a denial of service on the host
system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-KVM-infinite-loop-of-x86-Alignment-Check-Exception-18268