Xen.org security team
2013-Jan-09 13:18 UTC
Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5634 / XSA-33 version 2 VT-d interrupt remapping source validation flaw UPDATES IN VERSION 2 =================== Public release. ISSUE DESCRIPTION ================ When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by domain 0 or driver domains, leaving them vulnerable to such an attack. Such a DoS is likely to have an impact on other guests running in the system. IMPACT ===== A malicious domain, given access to a device which is behind a legacy PCI bridge, can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================= Xen version 4.0 onwards is vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. Any domain which is given access to a PCI device that is behind a legacy PCI bridge can take advantage of this vulnerability. Domains which are given access to PCIe devices only are not able to take advantage of this vulnerability. MITIGATION ========= This issue can be avoided by not assigning PCI devices which are behind a legacy PCI bridge to untrusted guests. NOTE REGARDING EMBARGO TIMELINE ============================== After discussion with the discloser we have decided to set a longer than usual embargo in order to avoid public disclosure during the holiday period. RESOLUTION ========= Applying the appropriate attached patch resolves this issue. xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable xsa33-4.1.patch Xen 4.1.x $ sha256sum xsa33*.patch b97ce505a4ea92d574d0b3abef7b4c600b7fdc682787dfd1e50fddd520f6a87d xsa33-4.1.patch ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c xsa33-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ7W34AAoJEIP+FMlX6CvZENoH/3baTpBwdJ/BaI+p8d9BYtIk lc78U3eX5LPX6wW5rO8m3ID0+y8jjGZftIm7VQBXCo1sRgW05feHZnRcxTJfzxvm NOoVA6yXxlULbi1gwpG5e2aPpOXywYE/SfQfesW+ooJXiUzUZyBxhM1WZWoSKgee 8VyT/uo57wcL7uqYZeDJIqwdljYDaysoxvTtFizQRo65uxOmDlOP0IjWhoMBxqSW YBrA9jcHXI+8Cx9GruLOeMqbxJKWAD0jF1QMv+wL/psl3nQ682A7TIUSjKIIuEnk guvF8+lZpkB3MER0kTisjbYdiRiE5Em/MP5r8B/Ft52Ejh15/V65Irv0kMdVnog=+i2W -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Xen.org security team
2013-Jan-11 17:11 UTC
Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt remapping source validation flaw
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2012-5634 / XSA-33 version 3 VT-d interrupt remapping source validation flaw UPDATES IN VERSION 3 =================== The patch supplied for Xen 4.1 (xsa33-4.1.patch) contained a build error. A corrected patch is attached. The fix is also now available in http://xenbits.xen.org/hg/xen-4.1-testing.hg as changeset 23441:2a91623a5807 ISSUE DESCRIPTION ================ When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by domain 0 or driver domains, leaving them vulnerable to such an attack. Such a DoS is likely to have an impact on other guests running in the system. IMPACT ===== A malicious domain, given access to a device which is behind a legacy PCI bridge, can mount a denial of service attack affecting the whole system. VULNERABLE SYSTEMS ================= Xen version 4.0 onwards is vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. Any domain which is given access to a PCI device that is behind a legacy PCI bridge can take advantage of this vulnerability. Domains which are given access to PCIe devices only are not able to take advantage of this vulnerability. MITIGATION ========= This issue can be avoided by not assigning PCI devices which are behind a legacy PCI bridge to untrusted guests. NOTE REGARDING EMBARGO TIMELINE ============================== After discussion with the discloser we have decided to set a longer than usual embargo in order to avoid public disclosure during the holiday period. RESOLUTION ========= Applying the appropriate attached patch resolves this issue. xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable xsa33-4.1.patch Xen 4.1.x $ sha256sum xsa33*.patch cb015155e63c1ccedfe2ef01b2f2679ac14b00fa20d423bb1570199c3dd66af6 xsa33-4.1.patch ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c xsa33-4.2-unstable.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJQ8EdlAAoJEIP+FMlX6CvZVs0IAJJBsSxzETJbHGE16+1UEYD5 Tk3STo7nuf/qZKQUc8ORpepRd9+b34jgtwi/kdkqxyo3fza/SXuNNcAhPew1+TtT +GGeXRoNjEQIcho5KjLLEMwogW+gi7I/Y3XM3FZUfKU659sqltqsVly3HC8nstlw iwiAIKcXnuJa/ARMdcV0/IgKBu3AjAd7me3XnKVb7Kl0ZoOo+7FFQRlKxWkSthpJ ALkNoqyPXzlHN9lMfdPJF5Gyxhqprp8Xg9jdEVZnKNQx0Jzl8SsahJWEUVlgeeLo fIGAXgc12yvsL4CRS1z3uSwpon1AgOV0XT9V6xWtoeXraKhmvTQN4LCEqF8ovzg=qMzC -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users