[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen Security Advisory 360 v1 - IRQ vector leak on x86

  • To: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Thu, 21 Jan 2021 15:34:40 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L9W39MWCFZeQsdyfAvGPKpx81/7naW/pgNnVps4RqwY=; b=IFPp5kvX4sXl1wjATkHP8DvpDndxhcCdaaDecIZRcj6QdtwZ1yLU+BZFjPpQHeRniM8tozkQ+FK7DCcyexxFee9j0Q8Yd4PzKf92rfmB1O3Zd3qk92gch5/n/l7SOUbRUACx4hRlBx+OJPQYEcuwUDr0NjZhh79HtAo+z5awmLQzavaoFCOrx2EU8EppQMqGo1gxBeheQdHlO2rqOpGuvLpRRwSfxtjS3PCwk+Vv2GR+5jDanIiZc8pHOBRnFek63UbcPELM+0w+kARWPxezhM2C+Jor2K3OR5OG8zVM5K0z7DUGwAe9Ukl1wSdI6Az+oekzayJ9xVTwkGWCJDYb1Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F7xcFHVmaI/bo3oCUwcfxkevjbMwAq6BF8Pm1dVmYychzslKo0aRYs5GIT6E9a8TXhjqS/HVv7Hua5bsbI7Ihruz4rg15mrumcTYaRGMa99ThKncGE1EyTKWTPWIneaB62hkvg3havsTGnackvCn3vIkQraaoCUZ1dV0i1+dwB89gGvUBdNgAJFcnryQ690gFTcjMJwRraUgL+AlIj7frewAkiKkAo2T+8quFtzprzj4LKGBSvO5J0LCiQbi0qnXR2efmPKvJYahDAAjeUWI/AcwfQEle5KeZesRPO2j+zGTTdeBb5q12rgD59r3eyqMdUaAqvkUMYlynlWl/+8jkw==
  • Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <xen-devel@xxxxxxxxxxxxx>
  • Delivery-date: Thu, 21 Jan 2021 14:34:52 +0000
  • Ironport-sdr: zEwQLt9+oz00EdomjvqG3j1OPTGmLe7xvijFKgjiK0zx0tqOXYmdGuV3/NfSi7AbHSQrrZD35M B/VBuszO8dGhDJ6DEUihPnN9wHrjXhEkZERgI3jmy1GjndD28YgvmWf7CELcbWCgQzVC1wlzC3 RA56KdTp2XQ+TLPiyZIR2RlOAhJdwMfmYjclg5axrD9Af3AYBhfSNSt3KlJegLM5SqhVvkUvaL GB8CZ8xfKvp5EBz6PHN+HGz4wwysx+qXMNwWBm2mVgBCuyq/HONUctp5l/TFXteaTJv/Pe0bdB jmg=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Jan 21, 2021 at 03:20:12PM +0100, Marek Marczykowski-Górecki wrote:
> On Thu, Jan 21, 2021 at 02:10:48PM +0000, Xen.org security team wrote:
> >                     Xen Security Advisory XSA-360
> > 
> >                         IRQ vector leak on x86
> > 
> > ISSUE DESCRIPTION
> > =================
> > 
> > A x86 HVM guest with PCI pass through devices can force the allocation
> > of all IDT vectors on the system by rebooting itself with MSI or MSI-X
> > capabilities enabled and entries setup.
> 
> (...)
> 
> > MITIGATION
> > ==========
> > 
> > Not running HVM guests with PCI pass through devices will avoid the
> > vulnerability.  Note that even non-malicious guests can trigger this
> > vulnerability as part of normal operation.
> 
> Does the 'on_reboot="destroy"' mitigate the issue too? Or on_soft_reset?

Kind of. Note you will still leak the in use vectors when the guest is
destroyed, but that would prevent the guest from entering a reboot
loop and exhausting all vectors on the system unless the admin starts
it again.

In that case I think the premise of a guest 'rebooting itself' doesn't
apply anymore, since the guest won't be able to perform such
operation.

Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.