Date: Thu, 17 Dec 2015 12:42:15 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 157 (CVE-2015-8551,CVE-2015-8552) - Linux pciback missing sanity checks leading to crash -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-8551,CVE-2015-8552 / XSA-157 version 3 Linux pciback missing sanity checks leading to crash UPDATES IN VERSION 3 ==================== Removed CVE-2015-8553 from the title of this advisory. We will issue an update to XSA-120 which documents the assignment of CVE-2015-8553 to the XSA-120 v5+ addendum patch. Public release. ISSUE DESCRIPTION ================= Xen PCI backend driver does not perform proper sanity checks on the device's state. Which in turn allows the generic MSI code (called by Xen PCI backend) to be called incorrectly leading to hitting BUG conditions or causing NULL pointer exceptions in the MSI code. (CVE-2015-8551) To exploit this the guest can craft specific sequence of XEN_PCI_OP_* operations which will trigger this. Furthermore the frontend can also craft an continous stream of XEN_PCI_OP_enable_msi which will trigger an continous stream of WARN() messages triggered by the MSI code leading to the logging in the initial domain to exhaust disk space. (CVE-2015-8552) Lastly there is also missing check to verify whether the device has memory decoding enabled set at the start of the day leading the initial domain "accesses to the respective MMIO or I/O port ranges would - - on PCI Express devices - [which can] lead to Unsupported Request responses. The treatment of such errors is platform specific." (from XSA-120). Note that if XSA-120 'addendum' patch (re CVE-2015-8553) has been applied this particular sub-issue is not exploitable. IMPACT ====== Malicious guest administrators can cause denial of service. If driver domains are not in use, the impact is a host crash. Only x86 systems are vulnerable. ARM systems are not vulnerable. VULNERABLE SYSTEMS ================== This bug affects systems using Linux as the driver domain, including non-disaggregated systems using Linux as dom0. Linux versions v3.1 and onwards are vulnerable due to supporting PCI pass-through backend driver. PV and HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability. Furthermore, the vulnerability is only applicable when the passed-through PCI devices are MSI-capable or MSI-X. (Most modern devices are). MITIGATION ========== Not using PCI passthrough for PV and HVM guests. Note that for HVM guests QEMU is used for PCI passthrough - however the toolstack sets up also the 'PV' PCI which the guest can utilize if it chooses to do so. CREDITS ======= This issue was discovered by Konrad Rzeszutek Wilk of Oracle. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Linux 4.3: xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch xsa157-0002-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msix-w.patch xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch xsa157-0005-xen-pciback-Don-t-allow-MSI-X-ops-if-PCI_COMMAND_MEM.patch $ sha256sum xsa157* 0cb2d1729f17e640e33f11945f2e12eba85071238fab2dcc42f81b5d942c159b xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch 9bcb240a49a5cd48428cc9c01ee480297999b93f6977fdddd79ec715648aa244 xsa157-0002-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msix-w.patch 7c39b33d0e2d751970bbe56f463661c50aa5e4addc8eee35b80e9e1378e97b02 xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch 1acfd6f4ea13db6a146d547640f50d0ad40480b914b021760a518ac82e8e4c71 xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch b864620709e4b55a908dd6955a090ca03a9a07cfb31b66e2e5211ab8f0c77e68 xsa157-0005-xen-pciback-Don-t-allow-MSI-X-ops-if-PCI_COMMAND_MEM.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWcqy7AAoJEIP+FMlX6CvZr/gH+gKO6HcnCeZGPthmt7tKiHxn oa/VjgDMxIGVHerP0HRXTbletj7XOWhdDNrHNa7JQQXkjXiE+zmLRTVum/ghIxKO OMSiRtLFm6pkWmOXJI5kvOLDxt1aEECLG0lU9okbk7YmhZE65L4ysIsOGydfzAIn niKsCnMCxv2MDz5WtFy4okwE+dYJA/MrPfJ1kdJK2y26elxNv895HmwUG8vG042e NKsqBXWqF8Li2GgrtuXCmUAjHeEFXkouCCh7XVSZo70Zr1kVtFpifeNyz2V72qqh XRDmYkY5TJy+CD8tSIb82CcPU1JA7X5hFm1AuzYHeYT3+hxG0glcELGde+655Ig= =i8jn -----END PGP SIGNATURE----- Download attachment "xsa157-0001-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msi-wh.patch" of type "application/octet-stream" (2085 bytes) Download attachment "xsa157-0002-xen-pciback-Return-error-on-XEN_PCI_OP_enable_msix-w.patch" of type "application/octet-stream" (2222 bytes) Download attachment "xsa157-0003-xen-pciback-Do-not-install-an-IRQ-handler-for-MSI-in.patch" of type "application/octet-stream" (3097 bytes) Download attachment "xsa157-0004-xen-pciback-For-XEN_PCI_OP_disable_msi-x-only-disabl.patch" of type "application/octet-stream" (3280 bytes) Download attachment "xsa157-0005-xen-pciback-Don-t-allow-MSI-X-ops-if-PCI_COMMAND_MEM.patch" of type "application/octet-stream" (2283 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.