Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 11 Jan 2013 17:11:48 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security@....org>
Subject: Xen Security Advisory 33 (CVE-2012-5634) - VT-d interrupt
 remapping source validation flaw

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	     Xen Security Advisory CVE-2012-5634 / XSA-33
                             version 3

	   VT-d interrupt remapping source validation flaw

UPDATES IN VERSION 3
====================

The patch supplied for Xen 4.1 (xsa33-4.1.patch) contained a build
error. A corrected patch is attached. The fix is also now available in
http://xenbits.xen.org/hg/xen-4.1-testing.hg as changeset
23441:2a91623a5807

ISSUE DESCRIPTION
=================

When passing a device which is behind a legacy PCI Bridge through to
a guest Xen incorrectly configures the VT-d hardware. This could allow
incorrect interrupts to be injected to other guests which also have
passthrough devices.

In a typical Xen system many devices are owned by domain 0 or driver
domains, leaving them vulnerable to such an attack. Such a DoS is
likely to have an impact on other guests running in the system.

IMPACT
======

A malicious domain, given access to a device which is behind a legacy
PCI bridge, can mount a denial of service attack affecting the whole
system.

VULNERABLE SYSTEMS
==================

Xen version 4.0 onwards is vulnerable.

Only systems using Intel VT-d for PCI passthrough are vulnerable.

Any domain which is given access to a PCI device that is behind a
legacy PCI bridge can take advantage of this vulnerability.

Domains which are given access to PCIe devices only are not able to
take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices which are
behind a legacy PCI bridge to untrusted guests.

NOTE REGARDING EMBARGO TIMELINE
===============================

After discussion with the discloser we have decided to set a longer
than usual embargo in order to avoid public disclosure during the
holiday period.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa33-4.2-unstable.patch          Xen 4.2.x, xen-unstable
xsa33-4.1.patch                   Xen 4.1.x

$ sha256sum xsa33*.patch
cb015155e63c1ccedfe2ef01b2f2679ac14b00fa20d423bb1570199c3dd66af6  xsa33-4.1.patch
ba05474b8e1232318ae010d63d24ff1b15ba4d83e28cdb69d6a76e8f9eb5292c  xsa33-4.2-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQ8EdlAAoJEIP+FMlX6CvZVs0IAJJBsSxzETJbHGE16+1UEYD5
Tk3STo7nuf/qZKQUc8ORpepRd9+b34jgtwi/kdkqxyo3fza/SXuNNcAhPew1+TtT
+GGeXRoNjEQIcho5KjLLEMwogW+gi7I/Y3XM3FZUfKU659sqltqsVly3HC8nstlw
iwiAIKcXnuJa/ARMdcV0/IgKBu3AjAd7me3XnKVb7Kl0ZoOo+7FFQRlKxWkSthpJ
ALkNoqyPXzlHN9lMfdPJF5Gyxhqprp8Xg9jdEVZnKNQx0Jzl8SsahJWEUVlgeeLo
fIGAXgc12yvsL4CRS1z3uSwpon1AgOV0XT9V6xWtoeXraKhmvTQN4LCEqF8ovzg=
=qMzC
-----END PGP SIGNATURE-----

Download attachment "xsa33-4.1.patch" of type "application/octet-stream" (850 bytes)

Download attachment "xsa33-4.2-unstable.patch" of type "application/octet-stream" (855 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.