Xen Project patches Intel’s Lazy FPU flaw, VMware doesn't need to

Guest register states are readable, but the patch cavalry has arrived

UPDATE The Xen Project has revealed that its hypervisor is susceptible to the Lazy FPU flaw found in Intel’s x86 CPUs.

An advisory says ‘Systems running all versions of Xen are affected”, provided they employ “Intel Core based processors (from at least Nehalem onwards)”.

Xen said the impact of the flow is as follows:

An attacker can read x87/MMX/SSE/AVX/AVX-512 register state belonging to another vCPU previously scheduled on the same processor. This can be state belonging a different guest, or state belonging to a different thread inside the same guest.

Thankfully there’s both a fix and a mitigation that works “by using cpupools or cpu pinning to isolate the vCPUs from different VMs to separate pCPUs.” The fix can be found as either a conventional patch or a “livepatch” that’s applicable while Xen runs.

The Register’s virtualization desk has asked VMware if its hypervisors are also affected by Lazy FPU and will update this story if the company has something to say.

VMware has, however, advised of some disruption to its VMware-on-AWS service so it can patch variant 4 of Spectre/Meltdown and CVE-2018-3640, the rogue system register read problem revealed in May 2018. Users have been advised that up to four hours of downtime may be required, but that the pain will come out of business hours and only after advance warning. ®

UPDATE, JUNE 20th: VMware's posted a knowledge base article in which it says its hypervisors aren't impacted by Lazy FPU, nor are most of its products. But a few that ship as Linux-based virtual appliances will need attention.

Sponsored: Minds Mastering Machines - Call for papers now open




Biting the hand that feeds IT © 1998–2018