Xen project Mailing List

[Xen-devel] DRAFT XSA 78 - Insufficient TLB flushing in VT-d (iommu) code

To: xen-devel@xxxxxxxxxxxxxxxxxxxx,yqcheng.2008@xxxxxxxxxxxxxxxx, zhangzhi2022@xxxxxxxxxxx,junqing@xxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Wed, 20 Nov 2013 16:36:49 +0000

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Wed, 20 Nov 2013 16:37:20 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

***** DRAFT DRAFT DRAFT ***** Xen Security Advisory XSA-78 Insufficient TLB flushing in VT-d (iommu) code ISSUE DESCRIPTION ================= An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT ====== Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa78*.patch 2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e xsa78.patch $

Attachment: xsa78.patch
Description: Binary data

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.