Date: Tue, 14 Nov 2023 14:00:50 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security-team-members@....org> Subject: Xen Security Advisory 445 v3 (CVE-2023-46835) - x86/AMD: mismatch in IOMMU quarantine page table levels -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2023-46835 / XSA-445 version 3 x86/AMD: mismatch in IOMMU quarantine page table levels UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks. IMPACT ====== A device in quarantine mode can access data from previous quarantine page table usages, possibly leaking data used by previous domains that also had the device assigned. VULNERABLE SYSTEMS ================== All Xen versions supporting PCI passthrough are affected. Only x86 AMD systems with IOMMU hardware are vulnerable. Only x86 guests which have physical devices passed through to them can leverage the vulnerability. MITIGATION ========== Not passing through physical devices to guests will avoid the vulnerability. Not using quarantine scratch-page mode will avoid the vulnerability, but could result in other issues. CREDITS ======= This issue was discovered by Roger Pau Monné of XenServer. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa445.patch xen-unstable xsa445-4.17.patch Xen 4.17.x xsa445-4.16.patch Xen 4.16.x xsa445-4.15.patch Xen 4.15.x $ sha256sum xsa445* 751892f1a603dbee7ecb82d046aee6d87bf10398f365d3880a7f7d32eb3d73c1 xsa445.patch 9ae729410504961578e679ba19931646802b213d026b6587fb1abb43b2629186 xsa445-4.15.patch 55fe5925741b650fe2583a1e9855ea66c4fe0212de4fe93535fd592188fa64d4 xsa445-4.16.patch 7c4478d348dad0d9c71685a8c402df78d74c6b4d3c3e1627115b91967e54d94a xsa445-4.17.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmVTfRsMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZJdUIAJOmkQjl9EbYfiuBclmQJgOik6dYwYfFRNr+Q7g0 mWWQRF9BRSZkkzKipBeFWgBkQcx/3qo5HFBfElp9Atq4JpwXlcn9iBDR9fj5Zojl lUxKHbppKZ9lG6izHjZNVgOOmYkLBxi8STWlB4aXrxhqbgxEnv4MESC809qUuzsy lXl8AZERW7f/L8aW5IlpQqVKskc3NXUtvrhwyegrzL5SQfeGxIl3EPChA0UGq3PC McBQWtyMBZHmwOQco8o8QenflWpRmgO4nYHdy2CAJ5XfCqa5bgNs61AR12BAUSaS 5MLSRtCIn2VYxrfsHrE2aCYJHLvzRzWnR09N0p8DKW+4AXY= =gjG7 -----END PGP SIGNATURE----- Download attachment "xsa445.patch" of type "application/octet-stream" (2915 bytes) Download attachment "xsa445-4.15.patch" of type "application/octet-stream" (2942 bytes) Download attachment "xsa445-4.16.patch" of type "application/octet-stream" (2961 bytes) Download attachment "xsa445-4.17.patch" of type "application/octet-stream" (2915 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.