-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2019-18424 / XSA-302
passed through PCI devices may corrupt host memory after deassignment
UPDATES IN VERSION 5
The patches are broken on ARM (which is not affected by the issue).
Don't apply the patches on ARM. See Resolution.
When a PCI device is assigned to an untrusted domain, it is possible
for that domain to program the device to DMA to an arbitrary address.
The IOMMU is used to protect the host from malicious DMA by making
sure that the device addresses can only target memory assigned to the
guest. However, when the guest domain is torn down, or the device is
deassigned, the device is assigned back to dom0, thus allowing any
in-flight DMA to potentially target critical host data.
An untrusted domain with access to a physical device can DMA into host
memory, leading to privilege escalation.
Only systems where guests are given direct access to physical devices
capable of DMA (PCI pass-through) are vulnerable. Systems which do
not use PCI pass-through are not vulnerable.
In some configurations, use of passthrough can be replaced with a
higher-level protocol such as Xen PV block or network devices.
This issue was discovered by Paul Durrant of Citrix.
Applying the appropriate attached patchset should resolve this issue.
For Xen 4.9 and earlier at least the first patch of XSA-299
(whitespace cleanup) is also needed for XSA-302 to apply.
Unfortunately, at the time of writing, these patches have not been
tested to our satisfaction.
The patches are known to break on ARM. ARM is not affected by the
issue, so do not apply these patches on ARM systems. (On x86, there
is a latent bug but the patches are good to use.)
xsa302-4.12/*.patch Xen 4.12.x
xsa302-4.11/*.patch Xen 4.11.x
xsa302-4.10/*.patch Xen 4.10.x
xsa302-4.9/*.patch Xen 4.9.x, Xen 4.8.x
$ sha256sum xsa302* xsa302*/*
DEPLOYMENT DURING EMBARGO
Deployment of the *patches* described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Also: deployment of the reconfiguration *mitigation* is NOT permitted
(except where all the affected systems and VMs are administered and
used only by organisations which are members of the Xen Project
Security Issues Predisclosure List). Specifically, deployment on
public cloud systems is NOT permitted.
This is because this reconfiguration reveals that a PCI passthrough
vulnerability is involved.
Deployment of that migitation is permitted only AFTER the embargo
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Xen-announce mailing list
xsa302.meta (2K) Download Attachment
xsa302-4.9/0001-IOMMU-add-missing-HVM-check.patch (1K) Download Attachment
xsa302-4.9/0002-passthrough-quarantine-PCI-devices.patch (23K) Download Attachment
xsa302-4.10/0001-IOMMU-add-missing-HVM-check.patch (1K) Download Attachment
xsa302-4.10/0002-passthrough-quarantine-PCI-devices.patch (23K) Download Attachment
xsa302-4.11/0001-IOMMU-add-missing-HVM-check.patch (1K) Download Attachment
xsa302-4.11/0002-passthrough-quarantine-PCI-devices.patch (23K) Download Attachment
xsa302-4.12/0001-IOMMU-add-missing-HVM-check.patch (1K) Download Attachment
xsa302-4.12/0002-passthrough-quarantine-PCI-devices.patch (23K) Download Attachment
xsa302/0001-passthrough-quarantine-PCI-devices.patch (23K) Download Attachment
|Free forum by Nabble||Edit this page|