Xen.org security team
2013-Nov-20 17:08 UTC
Xen Security Advisory 78 - Insufficient TLB flushing in VT-d (iommu) code
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory XSA-78
Insufficient TLB flushing in VT-d (iommu) code
ISSUE DESCRIPTION
================
An inverted boolean parameter resulted in TLB flushes not happening
upon clearing of a present translation table entry. Retaining stale
TLB entries could allow guests access to memory that ought to have
been revoked, or grant greater access than intended.
IMPACT
=====
Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.
VULNERABLE SYSTEMS
=================
Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.
Only systems using Intel VT-d for PCI passthrough are vulnerable.
MITIGATION
=========
This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.
NOTE REGARDING LACK OF EMBARGO
=============================
This issue was disclosed publicly on the xen-devel mailing list.
RESOLUTION
=========
Applying the attached patch resolves this issue.
xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable
$ sha256sum xsa78*.patch
2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e xsa78.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSjOx1AAoJEIP+FMlX6CvZiRgIAL1iKDQGOT+uULBy+pi8El/H
ptqI1qsEX1CKkrl0tTTueXlIWqvpDP5iHJR3tqj10OeNn/tSyV/PCCuJonFaPDUJ
aNucKbiiXvaHlfw4CNMOuWa2xaWUdoiTN8RM8OCWQgM9Ybk6weZtCNcp/dQk5gwL
NzMHl+aD2Av0NiLZM3K857nk3wikcJAr+Lhd/wOx3W0oqmvRq+tszj3p4qOgNJ7/
CpTQd1TifkBaE7y3BxX3jofkSPM451oxyIz5WcsripnbL+psQK1T9ASkqr5iI8O7
cWJheDS64MlRRF7SujcJz1MekVvubg6njw8Gg3HPxIqagQJMn4GEkQT+98Kelf0=wrTD
-----END PGP SIGNATURE-----
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel