thr3ads.net - Xen devel - DRAFT XSA 78 - Insufficient TLB flushing in VT-d (iommu) code [Nov 2013]

If this information is useful, please help other people find it:
Share via:

Xen.org security team

2013-Nov-20 16:36 UTC

DRAFT XSA 78 - Insufficient TLB flushing in VT-d (iommu) code

***** DRAFT DRAFT DRAFT *****

                    Xen Security Advisory XSA-78

           Insufficient TLB flushing in VT-d (iommu) code

ISSUE DESCRIPTION
================
An inverted boolean parameter resulted in TLB flushes not happening
upon clearing of a present translation table entry.  Retaining stale
TLB entries could allow guests access to memory that ought to have
been revoked, or grant greater access than intended.

IMPACT
=====
Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.

VULNERABLE SYSTEMS
=================
Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

Only systems using Intel VT-d for PCI passthrough are vulnerable.

MITIGATION
=========
This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.

NOTE REGARDING LACK OF EMBARGO
=============================
This issue was disclosed publicly on the xen-devel mailing list.

RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.

xsa78.patch        Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa78*.patch
2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e  xsa78.patch
$


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Xen devel - Nov 2013 - DRAFT XSA 78 - Insufficient TLB flushing in VT-d (iommu) code

DRAFT XSA 78 - Insufficient TLB flushing in VT-d (iommu) code