|
Message-Id: <E1Ycuzb-0005NW-CJ@xenbits.xen.org> Date: Tue, 31 Mar 2015 12:10:03 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 126 (CVE-2015-2756) - Unmediated PCI command register access in qemu -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-2756 / XSA-126 version 3 Unmediated PCI command register access in qemu UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= HVM guests are currently permitted to modify the memory and I/O decode bits in the PCI command register of devices passed through to them. Unless the device is an SR-IOV virtual function, after disabling one or both of these bits subsequent accesses to the MMIO or I/O port ranges would - on PCI Express devices - lead to Unsupported Request responses. The treatment of such errors is platform specific. Furthermore (at least) devices under control of the Linux pciback driver in the host are handed to guests with the aforementioned bits turned off. This means that such accesses can similarly lead to Unsupported Request responses until these flags are set as needed by the guest. IMPACT ====== In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Any domain which is given access to a non-SR-IOV virtual function PCI Express device can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI Express devices other than SR-IOV virtual functions to untrusted HVM guests. This issue can also be avoided by only using PV guests or HVM guests with their device model run in a separate (stub) domain. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa126-qemuu.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x xsa126-qemuu-4.3.patch qemu-upstream-unstable, Xen 4.3.x xsa126-qemut.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x For those already having the original patch in place, applying the appropriate attached incremental patch addresses the regression. xsa126-qemuu-incr.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x xsa126-qemuu-4.3-incr.patch qemu-upstream-unstable, Xen 4.3.x xsa126-qemut-incr.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa126*.patch bd69a0d18127793a9aa2097062ecaef76df6e6b8f729406d7d52cf66519e3b0d xsa126-qemut-incr.patch 2a9b8f73b2a4f0cfb6b724c9a0a72dbf08cae87cd382f61f563218c32d1036a7 xsa126-qemut.patch 658bc483d1110e4e04de2d70fba1cdb20c5cecdc2f419db2d82bddc3ae1690b6 xsa126-qemuu-4.3-incr.patch 090d9262a9e9d24f0f4eca35cb0d56831d5cec6a6ba38b4c7e276d767de660c1 xsa126-qemuu-4.3.patch 3f7b6737c08ff7e119bec16c8c3b3cb832429f1410e687edf622fab57a22842e xsa126-qemuu-incr.patch eb5b93600267639b2cda1c5e2f937ddbecbf6c8cbd19dbb355224c39c2e40d3e xsa126-qemuu.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVGo5NAAoJEIP+FMlX6CvZvt4IAIeNbTd6EQJE4CnuU6fH9lA3 0fO7FrUEMn7cfiptLy86y01C0d7YqF1MCbO3TKfJ0NJSjvl5CQ/WDuPwjdbD28eW Zi2NZFRRy0JnLM3bgHxYB5Ik7voO6QPm4+BSZxM9rdiOhKwOY1LLyDbRlC5GvsVr 5J87gm1tfcQVHNDkVZp6ZlzQh5Kl3iSFp6KvzwsIagoJucsPVEHsoBWF84I+3peu miT3gQqPeZg3PxplKNBkFZOr4hfE1vkYEmopnPY+ClSqsIB0XWM8XSbr8IByXI/E VBAAsssFYV3mwNSoVrip+CWumi32ocikfxly+GlZxNWiMO4T57La6CJcmjQqaEE= =wvTM -----END PGP SIGNATURE----- Download attachment "xsa126-qemut-incr.patch" of type "application/octet-stream" (2863 bytes) Download attachment "xsa126-qemut.patch" of type "application/octet-stream" (5452 bytes) Download attachment "xsa126-qemuu-4.3-incr.patch" of type "application/octet-stream" (2373 bytes) Download attachment "xsa126-qemuu-4.3.patch" of type "application/octet-stream" (4589 bytes) Download attachment "xsa126-qemuu-incr.patch" of type "application/octet-stream" (2329 bytes) Download attachment "xsa126-qemuu.patch" of type "application/octet-stream" (4553 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.