|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-4.0-testing] x86, vtd: [CVE-2011-1898] Protect against malicious MSIs from untrusted devices.
# HG changeset patch # User Keir Fraser <keir@xxxxxxx> # Date 1305220065 -3600 # Node ID b85a9e58ec3aa46be0e4148737fefdddd59fdddf # Parent f47c6786ea6d8f14ce0a6770e9be51ca2b9d6888 x86, vtd: [CVE-2011-1898] Protect against malicious MSIs from untrusted devices. In the absence of VT-d interrupt remapping support, a device can send arbitrary APIC messages to host CPUs. One class of attack that results is to confuse the hypervisor by delivering asynchronous interrupts to vectors that are expected to handle only synchronous traps/exceptions. We block this class of attack by: (1) setting APIC.TPR=0x10, to block all interrupts below vector 0x20. This blocks delivery to all architectural exception vectors. (2) checking APIC.ISR[vec] for vectors 0x80 (fast syscall) and 0x82 (hypercall). In these cases we BUG if we detect we are handling a hardware interrupt -- turning a potentially more severe infiltration into a straightforward system crash (i.e, DoS). Thanks to Invisible Things Lab <http://www.invisiblethingslab.com> for discovery and detailed investigation of this attack. Signed-off-by: Keir Fraser <keir@xxxxxxx> xen-unstable changeset: 23337:cc91832a02c7 xen-unstable date: Thu May 12 16:39:31 2011 +0100 --- diff -r f47c6786ea6d -r b85a9e58ec3a xen/arch/x86/apic.c --- a/xen/arch/x86/apic.c Thu May 12 09:23:21 2011 +0100 +++ b/xen/arch/x86/apic.c Thu May 12 18:07:45 2011 +0100 @@ -572,12 +572,9 @@ init_apic_ldr(); /* - * Set Task Priority to 'accept all'. We never change this - * later on. + * Set Task Priority to reject any interrupts below FIRST_DYNAMIC_VECTOR. */ - value = apic_read(APIC_TASKPRI); - value &= ~APIC_TPRI_MASK; - apic_write_around(APIC_TASKPRI, value); + apic_write_around(APIC_TASKPRI, (FIRST_DYNAMIC_VECTOR & 0xF0) - 0x10); /* * After a crash, we no longer service the interrupts and a pending @@ -1498,3 +1495,9 @@ return 0; } + +void check_for_unexpected_msi(unsigned int vector) +{ + unsigned long v = apic_read(APIC_ISR + ((vector & ~0x1f) >> 1)); + BUG_ON(v & (1 << (vector & 0x1f))); +} diff -r f47c6786ea6d -r b85a9e58ec3a xen/arch/x86/x86_64/compat/entry.S --- a/xen/arch/x86/x86_64/compat/entry.S Thu May 12 09:23:21 2011 +0100 +++ b/xen/arch/x86/x86_64/compat/entry.S Thu May 12 18:07:45 2011 +0100 @@ -27,6 +27,15 @@ pushq $0 movl $TRAP_syscall,4(%rsp) SAVE_ALL + + cmpb $0,untrusted_msi(%rip) + je 1f + movl $0x82,%edi + call check_for_unexpected_msi + RESTORE_ALL + SAVE_ALL +1: + GET_CURRENT(%rbx) cmpl $NR_hypercalls,%eax diff -r f47c6786ea6d -r b85a9e58ec3a xen/arch/x86/x86_64/entry.S --- a/xen/arch/x86/x86_64/entry.S Thu May 12 09:23:21 2011 +0100 +++ b/xen/arch/x86/x86_64/entry.S Thu May 12 18:07:45 2011 +0100 @@ -310,6 +310,14 @@ pushq $0 SAVE_ALL + cmpb $0,untrusted_msi(%rip) + je 1f + movl $0x80,%edi + call check_for_unexpected_msi + RESTORE_ALL + SAVE_ALL +1: + GET_CURRENT(%rbx) /* Check that the callback is non-null. */ diff -r f47c6786ea6d -r b85a9e58ec3a xen/drivers/passthrough/vtd/iommu.c --- a/xen/drivers/passthrough/vtd/iommu.c Thu May 12 09:23:21 2011 +0100 +++ b/xen/drivers/passthrough/vtd/iommu.c Thu May 12 18:07:45 2011 +0100 @@ -42,6 +42,9 @@ #define nr_ioapics iosapic_get_nr_iosapics() #endif +/* Possible unfiltered LAPIC/MSI messages from untrusted sources? */ +bool_t __read_mostly untrusted_msi; + int nr_iommus; static bool_t rwbf_quirk; @@ -1566,6 +1569,14 @@ if (!pdev) return -ENODEV; + /* + * Devices assigned to untrusted domains (here assumed to be any domU) + * can attempt to send arbitrary LAPIC/MSI messages. We are unprotected + * by the root complex unless interrupt remapping is enabled. + */ + if ( (target != dom0) && !iommu_intremap ) + untrusted_msi = 1; + ret = domain_context_unmap(source, bus, devfn); if ( ret ) return ret; _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |