[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen Security Advisory 360 v1 - IRQ vector leak on x86

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Thu, 21 Jan 2021 16:05:38 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=h2/mY+/MuGMdcerTTA+8VkvRYoz08v/TxezwTkgAAmY=; b=N4E+HJtoyiXvJAKI4lR6ltlOxDCjZ3OwKLqtHvG40vyfHG6N+RwJHAsxJiSgfZLPGd4b/C6mXxpcwUh2ZM4uBQM6FpE0QkqCBF9gvZoeHgbnh9cTSd369ETHwZpTVUy8+Nmveob2ixirLz6VHxN5rTc+TZWGdiRdJyU6ybeve5wO91AufNLHJVol9BfqaxWnWJXa5pzv8qQsLjrXNj2q4QjBrXdEA22Vp6+sTTU9jyZjBOAp+ok9RQeMJNotPpoqbqcrgp8i9ugpM2L7DqSs/RGN+NBq9nqcJnAaeI78ms/bkhtDLedmXdRwHmVwu8wTYVjIZiP6mJvPeEv7Nnu/hA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DK3tJ5aTQyM7oOTI8dPwN5RPVBgM7kJhrdgkK5CE7Ix/t6nMr9zU1pGzMLz8bPW+1lGo38b+FJV2o+6Rw0XMFeC/KxALmAag6lZQaj27BnAX1t4aR2Se6OSJiLgZPcmRjoZhUzgZx+TiryZKgV78hhyE8+9xOXGnJBy/G93AgkaLRubbAvfk2Nhwi5pe3gJfScq13NwYD+gbj+imXzlgDqhBEoOOykKUw/Ozc5/cKsXsxUrTN+BiNZV8pMiB74yxtZSTFAl7AEfjKYpkq8Vh0uao1IYWfSvtte3WF2FFfx5PgjeCdfPyqvylXjVDahOqeSRKHFPNP5UXKvcQWshzUA==
  • Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <xen-devel@xxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 21 Jan 2021 15:05:50 +0000
  • Ironport-sdr: sTM4M1uR482bRWCXQBJpr1r9t4D6KlsA8ZghTBQS/jcTpig5+zh3XZy/mWNz0H6uuPQNYtwstl pxHzTGpaqU0UPx1tPlo1DKr93P07ERMKAyjIVssAuoI0GsIW+/KwcWmg8BClztV0IXaUg12eOT rN1ZmUwkfrzWm1Oue0zRwAx+yEpBg9rMWSD2DU6KB04MMz4D0Fb9bMK6Q3+IvJMLdkupWf+6KL 3laEiYh6WrrzshB7NRJh+bB8R1jT1aVje0wbxk0UzQO/4hiWPqi34cCMZphTIM3ZL0S7qFs4+0 Zv4=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Jan 21, 2021 at 03:50:55PM +0100, Jan Beulich wrote:
> On 21.01.2021 15:34, Roger Pau Monné wrote:
> > On Thu, Jan 21, 2021 at 03:20:12PM +0100, Marek Marczykowski-Górecki wrote:
> >> On Thu, Jan 21, 2021 at 02:10:48PM +0000, Xen.org security team wrote:
> >>>                     Xen Security Advisory XSA-360
> >>>
> >>>                         IRQ vector leak on x86
> >>>
> >>> ISSUE DESCRIPTION
> >>> =================
> >>>
> >>> A x86 HVM guest with PCI pass through devices can force the allocation
> >>> of all IDT vectors on the system by rebooting itself with MSI or MSI-X
> >>> capabilities enabled and entries setup.
> >>
> >> (...)
> >>
> >>> MITIGATION
> >>> ==========
> >>>
> >>> Not running HVM guests with PCI pass through devices will avoid the
> >>> vulnerability.  Note that even non-malicious guests can trigger this
> >>> vulnerability as part of normal operation.
> >>
> >> Does the 'on_reboot="destroy"' mitigate the issue too? Or on_soft_reset?
> > 
> > Kind of. Note you will still leak the in use vectors when the guest is
> > destroyed, but that would prevent the guest from entering a reboot
> > loop and exhausting all vectors on the system unless the admin starts
> > it again.
> > 
> > In that case I think the premise of a guest 'rebooting itself' doesn't
> > apply anymore, since the guest won't be able to perform such
> > operation.
> 
> And how exactly would an admin tell a guest from rebooting for
> fair reasons from one rebooting for malicious reasons? To me,
> setting 'on_reboot="destroy"' would imply there's then some
> other mechanism to restart the guest (possibly with some delay),
> or else a reboot attempt by this guest would effectively be a
> DoS to its users.

Well, I would expect there are deployments or configurations that
simply don't expect (some) domains to reboot themselves. Ie: for
example you won't expect driver domains to restart themselves I think,
and hence you could safely use on_reboot="destroy" in that case to
mitigate a compromised driver domain from exploiting this
vulnerability.

Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.