mailing list archives
Re: [Xen-devel] [oss-security] Re: Xen Security Advisory 82 (CVE-2013-6885) - Guest triggerable AMD CPU erratum may cause host hang
From: Andrew Cooper <andrew.cooper3 () citrix com>
Date: Wed, 4 Dec 2013 22:43:08 +0000
On 02/12/2013 22:43, Matthew Daley wrote:
On Tue, Dec 3, 2013 at 7:16 AM, Kurt Seifried <kseifried () redhat com> wrote:
On 12/02/2013 10:22 AM, Ian Jackson wrote:
* Should the Xen Project security te4am have treated this issue
with an embargo at all, given that the flaw itself was public ?
I would say this depends on the level of public disclosure. For
example from "upstream" (AMD) there was a very limited disclosure (no
public announcement I'm aware of) and just some notes in a single PDF.
However this was also made public via the person who found it and then
picked up by ZDnet in an article, so I would personally count that as
Can you post a link to this ZDnet article? I don't think it can be the
one linked in the CVE description itself, because that talks about a
different, earlier bug IIUC; I privately asked Matt Dillon, who
discovered Errata 721, and he agreed that this CVE talks about a
different (but maybe related) Errata, #793.
The email (ID 201311280223.rAS2NbPL019021 () linus mitre org) has the
And identifies them as related to CVE-2013-6885
Unless DragonflyBSD is giving Write Combining memory to its regular
userspace processes (which would frankly be crazy and cause abysmal
performance - uncacheable reads have a habit of slowing things down
somewhat), I cant see any similarity between the CVE and the problem
described by Matt Dillon in the links.
The zdnet article quotes a statement from AMD of:
Also, this marginal erratum impacts the previous four generations of AMD
Opteron processors which include the AMD Opteron 2300,8300
8300("Barcelona" and "Shanghai",) 2400, 8400 ("Istanbul",) and 4100,
6100 ("Lisbon" and "Magny-Cours") series processors.
None of these generations are the "Jaguar Architecture" Family 16h
identified in the erratum description from #793 Furthermore, Matt
Dillon appears to be under the impression that he found erratum #721.
It therefore appears that the original MITRE email was incorrect as
identifying the two links (refering to #721, and nearly 2 years old
judging by http://article.gmane.org/gmane.os.dragonfly-bsd.kernel/14518)
as related to #793 (whos errata document's inital release was June of
Can anyone from AMD formally confirm or deny a link between errata #721
and #793 ?