Xen.org security team
2013-Nov-21 11:32 UTC
Xen Security Advisory 78 (CVE-2013-6375) - Insufficient TLB flushing in VT-d (iommu) code
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2013-6375 / XSA-78
version 2
Insufficient TLB flushing in VT-d (iommu) code
UPDATES IN VERSION 2
===================
This issue has been assigned CVE-2013-6375.
ISSUE DESCRIPTION
================
An inverted boolean parameter resulted in TLB flushes not happening
upon clearing of a present translation table entry. Retaining stale
TLB entries could allow guests access to memory that ought to have
been revoked, or grant greater access than intended.
IMPACT
=====
Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.
VULNERABLE SYSTEMS
=================
Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.
Only systems using Intel VT-d for PCI passthrough are vulnerable.
MITIGATION
=========
This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.
NOTE REGARDING LACK OF EMBARGO
=============================
This issue was disclosed publicly on the xen-devel mailing list.
RESOLUTION
=========
Applying the attached patch resolves this issue.
xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable
$ sha256sum xsa78*.patch
bb13b280bb456c1d7c8f468e23e336e6b2d06eb364c6823f1b426fcfe09f6ed3 xsa78.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJSje8rAAoJEIP+FMlX6CvZ1kkIALhafGTk2hNupn2YyvqaUchF
P7lnff8PohFj9WRM3I5axrJGkZeOozjeRSbgaVwlg5UY1A6vNqtT9GSQtSWRWbk/
/0ysGvwbBTdRQeGhvENhpFOJRF/4TjGn1xmCBgQbmrhZuS9iAQvJL8yUY/HdCVyf
gk9Vw/yuBZff15h97FH9M+zrdz+DbBTlR0t5HlVkLMvXyFkYIRafwaZVKWaH/C9y
S1Wz6M9q1U9KrE8wBsNNHMgywdTiriCkzhfxEQbsPKnn/NFCOS0ehqct0JeZx100
Eritdmkr805EUCcFUdS5R1EDP6xiRUCUAdbL/tvTJExzmPEG0sg7kKWIArRujLU=ZgNn
-----END PGP SIGNATURE-----
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel