Xen.org security team
2013-Jan-09 13:18 UTC
Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2012-5634 / XSA-33
version 2
VT-d interrupt remapping source validation flaw
UPDATES IN VERSION 2
===================
Public release.
ISSUE DESCRIPTION
================
When passing a device which is behind a legacy PCI Bridge through to
a guest Xen incorrectly configures the VT-d hardware. This could allow
incorrect interrupts to be injected to other guests which also have
passthrough devices.
In a typical Xen system many devices are owned by domain 0 or driver
domains, leaving them vulnerable to such an attack. Such a DoS is
likely to have an impact on other guests running in the system.
IMPACT
=====
A malicious domain, given access to a device which is behind a legacy
PCI bridge, can mount a denial of service attack affecting the whole
system.
VULNERABLE SYSTEMS
=================
Xen version 4.0 onwards is vulnerable.
Only systems using Intel VT-d for PCI passthrough are vulnerable.
Any domain which is given access to a PCI device that is behind a
legacy PCI bridge can take advantage of this vulnerability.
Domains which are given access to PCIe devices only are not able to
take advantage of this vulnerability.
MITIGATION
=========
This issue can be avoided by not assigning PCI devices which are
behind a legacy PCI bridge to untrusted guests.
NOTE REGARDING EMBARGO TIMELINE
==============================
After discussion with the discloser we have decided to set a longer
than usual embargo in order to avoid public disclosure during the
holiday period.
RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.
xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable
xsa33-4.1.patch Xen 4.1.x
$ sha256sum xsa33*.patch
b97ce505a4ea92d574d0b3abef7b4c600b7fdc682787dfd1e50fddd520f6a87d
xsa33-4.1.patch
ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c
xsa33-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJQ7W34AAoJEIP+FMlX6CvZENoH/3baTpBwdJ/BaI+p8d9BYtIk
lc78U3eX5LPX6wW5rO8m3ID0+y8jjGZftIm7VQBXCo1sRgW05feHZnRcxTJfzxvm
NOoVA6yXxlULbi1gwpG5e2aPpOXywYE/SfQfesW+ooJXiUzUZyBxhM1WZWoSKgee
8VyT/uo57wcL7uqYZeDJIqwdljYDaysoxvTtFizQRo65uxOmDlOP0IjWhoMBxqSW
YBrA9jcHXI+8Cx9GruLOeMqbxJKWAD0jF1QMv+wL/psl3nQ682A7TIUSjKIIuEnk
guvF8+lZpkB3MER0kTisjbYdiRiE5Em/MP5r8B/Ft52Ejh15/V65Irv0kMdVnog=+i2W
-----END PGP SIGNATURE-----
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users
Xen.org security team
2013-Jan-11 17:11 UTC
Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2012-5634 / XSA-33
version 3
VT-d interrupt remapping source validation flaw
UPDATES IN VERSION 3
===================
The patch supplied for Xen 4.1 (xsa33-4.1.patch) contained a build
error. A corrected patch is attached. The fix is also now available in
http://xenbits.xen.org/hg/xen-4.1-testing.hg as changeset
23441:2a91623a5807
ISSUE DESCRIPTION
================
When passing a device which is behind a legacy PCI Bridge through to
a guest Xen incorrectly configures the VT-d hardware. This could allow
incorrect interrupts to be injected to other guests which also have
passthrough devices.
In a typical Xen system many devices are owned by domain 0 or driver
domains, leaving them vulnerable to such an attack. Such a DoS is
likely to have an impact on other guests running in the system.
IMPACT
=====
A malicious domain, given access to a device which is behind a legacy
PCI bridge, can mount a denial of service attack affecting the whole
system.
VULNERABLE SYSTEMS
=================
Xen version 4.0 onwards is vulnerable.
Only systems using Intel VT-d for PCI passthrough are vulnerable.
Any domain which is given access to a PCI device that is behind a
legacy PCI bridge can take advantage of this vulnerability.
Domains which are given access to PCIe devices only are not able to
take advantage of this vulnerability.
MITIGATION
=========
This issue can be avoided by not assigning PCI devices which are
behind a legacy PCI bridge to untrusted guests.
NOTE REGARDING EMBARGO TIMELINE
==============================
After discussion with the discloser we have decided to set a longer
than usual embargo in order to avoid public disclosure during the
holiday period.
RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.
xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable
xsa33-4.1.patch Xen 4.1.x
$ sha256sum xsa33*.patch
cb015155e63c1ccedfe2ef01b2f2679ac14b00fa20d423bb1570199c3dd66af6
xsa33-4.1.patch
ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c
xsa33-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJQ8EdlAAoJEIP+FMlX6CvZVs0IAJJBsSxzETJbHGE16+1UEYD5
Tk3STo7nuf/qZKQUc8ORpepRd9+b34jgtwi/kdkqxyo3fza/SXuNNcAhPew1+TtT
+GGeXRoNjEQIcho5KjLLEMwogW+gi7I/Y3XM3FZUfKU659sqltqsVly3HC8nstlw
iwiAIKcXnuJa/ARMdcV0/IgKBu3AjAd7me3XnKVb7Kl0ZoOo+7FFQRlKxWkSthpJ
ALkNoqyPXzlHN9lMfdPJF5Gyxhqprp8Xg9jdEVZnKNQx0Jzl8SsahJWEUVlgeeLo
fIGAXgc12yvsL4CRS1z3uSwpon1AgOV0XT9V6xWtoeXraKhmvTQN4LCEqF8ovzg=qMzC
-----END PGP SIGNATURE-----
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users