11 comments

[ 3.3 ms ] story [ 43.3 ms ] thread
Amusingly, not the first CMPXCHG8B-related bug.
Note that this is a bug in Xen (https://en.wikipedia.org/wiki/Xen, the hypervisor), not in any actual x86 hardware.

It accidentally failed to ignore operand size information from the instruction stream, which could lead to leaks of 32 or 96 bits of hypervisor memory contents to a guest.

The patch is pretty straight-forward:

             if ( op_bytes == 8 )
    +        {
                 host_and_vcpu_must_have(cx16);
    -        op_bytes *= 2;
    +            op_bytes = 16;
    +        }
    +        else
    +            op_bytes = 8;
I assume (didn't read the full code) that op_bytes came from the instruction stream.
Note that this is a Xen bug, not an Intel bug.

That said, those who believe the x86 instruction set is too complex do have one more argument now.

Why does Xen need x86 emulation code anyway?
To run x86 code on non-x86 machines would be my first guess. But I know nothing.
I thought so too at first, but I'd expect non-x86 host systems running x86 guests to be vulnerable if that were the case. The advisory seems to indicate otherwise.

Anyway, I've done some digging and found an explanation here: https://insinuator.net/2015/02/the-dangers-of-x86-emulation-...

tl;dr: it falls back to emulation for very specific cases that cannot be handled by hardware-assisted virtualization

There are some instructions that are not privileged but may leak information about the host environment to the VM. Such instructions are referred to as sensitive instructions. To prevent sensitive instructions from being misused inside the VM, they are emulated.

Another explanation is that some older x86 processors may not have full hardware virtualization support, so Xen emulates the instructions to support a wider number of host configurations.

I may be completely wrong though.

The x86 instruction set wasn't designed with hardware virtualisation in mind. Some of its instructions are defined to leak state from higher privileged levels into lower privileged levels. As hypervisor Xen must preserve these semantics. One way to achieve this is to trap all possible leaks and emulate the leak in the hypervisor. This is what Xen tried and failed to implement correctly.

An other possible solution to similar problems is to complicate the CPU even further and have it virtualise the corner cases in hardware or microcode.