Vigil@nce - Xen: infinite loop of x86 Debug Exception
November 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is administrator in a guest system, can generate
an infinite loop with a Debug Exception on Xen, in order to
trigger a denial of service on the host system.
Impacted products: XenServer, Fedora, Xen.
Severity: 1/4.
Creation date: 10/11/2015.
DESCRIPTION OF THE VULNERABILITY
On an x86 processor, when an exception occurs, while another
exception is in progress, the second has to be managed
sequentially. The Xen product implements workarounds to forbid
infinite loops in this case.
However, when a DB (Debug) exception occurs with a hardware
breakpoint, this case is not managed.
An attacker, who is administrator in a guest system, can therefore
generate an infinite loop with a Debug Exception on Xen, in order
to trigger a denial of service on the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-infinite-loop-of-x86-Debug-Exception-18269