Xen.org security team
2013-Nov-20 17:08 UTC
Xen Security Advisory 78 - Insufficient TLB flushing in VT-d (iommu) code
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-78 Insufficient TLB flushing in VT-d (iommu) code ISSUE DESCRIPTION ================ An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT ===== Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host. VULNERABLE SYSTEMS ================= Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. MITIGATION ========= This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d. NOTE REGARDING LACK OF EMBARGO ============================= This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========= Applying the attached patch resolves this issue. xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa78*.patch 2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e xsa78.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSjOx1AAoJEIP+FMlX6CvZiRgIAL1iKDQGOT+uULBy+pi8El/H ptqI1qsEX1CKkrl0tTTueXlIWqvpDP5iHJR3tqj10OeNn/tSyV/PCCuJonFaPDUJ aNucKbiiXvaHlfw4CNMOuWa2xaWUdoiTN8RM8OCWQgM9Ybk6weZtCNcp/dQk5gwL NzMHl+aD2Av0NiLZM3K857nk3wikcJAr+Lhd/wOx3W0oqmvRq+tszj3p4qOgNJ7/ CpTQd1TifkBaE7y3BxX3jofkSPM451oxyIz5WcsripnbL+psQK1T9ASkqr5iI8O7 cWJheDS64MlRRF7SujcJz1MekVvubg6njw8Gg3HPxIqagQJMn4GEkQT+98Kelf0=wrTD -----END PGP SIGNATURE----- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users