Xen project Mailing List

Re: Xen Security Advisory 476 v1 (CVE-2025-58149) - Incorrect removal of permissions on PCI device unplug

To: Teddy Astie <teddy.astie@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 24 Oct 2025 14:21:08 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=p1aorMdbM+F3PNBCtD6E5pOm7asDqKWtNCcTpurGV7w=; b=Jklz9XQIEeaQLh+LnA2KMIyxPeVBrKbe8gT/ZOTBesZG0Z6T5GtCm6+Xnd0EopytCMFN8GVTQ1oZ0gXRxHv6AjBXn0RVBpLfOEToK97O87RgVE0wJ7QWSCD+OWY5XPIn7zZ08uhe0IjoEtFDg+501pvXn28NMG1Exm1LAhJUgvDBbm/IbhTgo95em7PYqTfxL/Drn9lJK10gB0LLjT12hUHJMuRnWS/mUk/mvnOpRLcnw9uqgNEpSMLq2Pisy6hgS1hls4Aw0zo9CVh3Q3jvEhp5kPuGG/85ToPE8TzD5roCLgrDhYg9e1ibUilfGc+UWdkZBt+iKwvSv+N3nJPCOA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=DZ4glljMiy2Th2S4qMLtIA8IebrIJAB0VTa/FmD1Fqksz3x1PQwtKXfk3xU9OlOjDtup61Mbti97jmBWPneotg+2GhjVkOmoFmKLtWYWmNkaii1KvzuJJzc6mU9tbvDEweuPA3S9da0HKHW4DLC5H5kmeiF+GikVbea/1BSec0GyL4rLvJjPwyxuu6iQ4Z8/toy57ZR+xLXhrPXCd1ssaM5x9K9BaIK5bjw1j35i5Td24K/cRjzwQXzc3ME78ZlQYeFya4O4+zRKL0cEL2YFA8vvu22tdndOJut8LgXUrxzN3yc3gGy7Q5f0JNUFsOshoIc0IYDAmyL9F4VMtuBoGA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Delivery-date: Fri, 24 Oct 2025 13:21:28 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 24/10/2025 1:54 pm, Teddy Astie wrote: > Le 24/10/2025 à 14:14, Xen.org security team a écrit : >> Xen Security Advisory CVE-2025-58149 / XSA-476 >> >> Incorrect removal of permissions on PCI device unplug >> >> ISSUE DESCRIPTION >> ================= >> >> When passing through PCI devices, the detach logic in libxl won't remove >> access permissions to any 64bit memory BARs the device might have. As a >> result a domain can still have access any 64bit memory BAR when such >> device is no longer assigned to the domain. >> > It it exclusive to devices where bar is above 32-bits (which requires > things like Above 4G Decoding / Resizable BAR) or all devices are affected ? The scanf() only gets the bottom 32 bits of the BAR address, and drops the upper bits. > >> For PV domains the permission leak allows the domain itself to map the memory >> in the page-tables. For HVM it would require a compromised device model or >> stubdomain to map the leaked memory into the HVM domain p2m. >> > Do HVM guests actually needs the device model to perform this ? It's DOMCTL_memory_mapping which modifies the P2M. An HVM guest would need to get the device model to make this hypercall on it's behalf in a non-standard way. > >> IMPACT >> ====== >> >> A buggy or malicious PV guest can access memory of PCI devices no longer >> assigned to it. >> >> VULNERABLE SYSTEMS >> ================== >> >> Xen versions 4.0 and newer are vulnerable. >> >> Only PV guests with PCI passthrough devices can leverage the vulnerability. >> >> Only domains whose PCI devices are managed by the libxl library are affected. >> This includes the xl toolstack and xapi, which uses the xl toolstack when >> dealing with PCI devices. >> > XAPI doesn't appears to have PCI hotplug facilities, so shouldn't be > able to trigger this vulnerability. Unless I missed something. Xapi execs `xl pci-attach/detach`. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.