All of lore.kernel.org
 help / color / mirror / Atom feed
* Xen Security Advisory 43 (CVE-2013-0231) - Linux pciback DoS via not rate limited log messages.
@ 2013-02-05 13:15 Xen.org security team
  0 siblings, 0 replies; 3+ messages in thread
From: Xen.org security team @ 2013-02-05 13:15 UTC (permalink / raw)
  To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team

[-- Attachment #1: Type: text/plain, Size: 1734 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2013-0231 / XSA-43
			      version 2

         Linux pciback DoS via not rate limited log messages.

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Xen's PCI backend drivers in Linux allow a guest with assigned PCI device(s)
to cause a DoS through a flood of kernel messages, potentially affecting other
domains in the system.

IMPACT
======

A malicious guest can mount a DoS affecting the entire system.

VULNERABLE SYSTEMS
==================

All systems running guests with access to passed through PCI devices are
vulnerable.

Both mainline ("pvops") and classic-Xen patch kernels are affected.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted
guests.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa43-pvops.patch            Apply to mainline Linux 3.8-rc5.
xsa43-classic.patch          Apply to linux-2.6.18-xen tree.

$ sha256sum xsa43*.patch
4dec2d9b043bce2b8b54578573ba254fa7e6cbf4640cd100f40d8bf8a5a6a470  xsa43-classic.patch
6efe83c9951dcba20f18095814d19089e19230c6876bbdab32cc2f1165bb07c8  xsa43-pvops.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJREQI+AAoJEIP+FMlX6CvZkoEH/2sIEO+1qLiHTde/UJznrvr8
R8MDNC5tqXVLtbPjScoTItMHaPfz33lcypz9UFknHepdwZKhRrcuqy4E79lxeXDG
BybbbbfNfJPeUG44O1fkyJTJys0xRBnAGzWInZZwq+gWRaJv+JNhzinFujvLNDJV
4m2ObnSwT1mx/9CjRxWGakKDhPcZSGmWIicyN5tueNKdWbAjSqiR/J8N5W+QJiCm
+BzjzYpfUqn0vKOlARQIMshzqFjYVTnoHFZf/4Hl7ogIibxfGGo5t05pzBoAlIgj
nTizW2Bxs9XM1NaFsZ2ESg8KVDTFSHS+jsMtdl0bWoHwRs6nNMQJJTjTPHXspCQ=
=5o5U
-----END PGP SIGNATURE-----

[-- Attachment #2: xsa43-classic.patch --]
[-- Type: application/octet-stream, Size: 884 bytes --]

pciback: rate limit error message from pciback_enable_msi()

... as being guest triggerable (e.g. by invoking XEN_PCI_OP_enable_msi
on a device not being MSI capable).

This is CVE-2013-0231 / XSA-43.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/drivers/xen/pciback/conf_space_capability_msi.c
+++ b/drivers/xen/pciback/conf_space_capability_msi.c
@@ -11,13 +11,12 @@
 int pciback_enable_msi(struct pciback_device *pdev,
 		struct pci_dev *dev, struct xen_pci_op *op)
 {
-	int otherend = pdev->xdev->otherend_id;
-	int status;
-
-	status = pci_enable_msi(dev);
+	int status = pci_enable_msi(dev);
 
 	if (status) {
-		printk("error enable msi for guest %x status %x\n", otherend, status);
+		if (printk_ratelimit())
+			printk("error enabling MSI for guest %u status %d\n",
+			       pdev->xdev->otherend_id, status);
 		op->value = 0;
 		return XEN_PCI_ERR_op_failed;
 	}

[-- Attachment #3: xsa43-pvops.patch --]
[-- Type: application/octet-stream, Size: 1786 bytes --]

xen-pciback: rate limit error messages from xen_pcibk_enable_msi{,x}()

... as being guest triggerable (e.g. by invoking
XEN_PCI_OP_enable_msi{,x} on a device not being MSI/MSI-X capable).

This is CVE-2013-0231 / XSA-43.

Also make the two messages uniform in both their wording and severity.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>

---
 drivers/xen/xen-pciback/pciback_ops.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- 3.8-rc5/drivers/xen/xen-pciback/pciback_ops.c
+++ 3.8-rc5-xen-pciback-ratelimit/drivers/xen/xen-pciback/pciback_ops.c
@@ -135,7 +135,6 @@ int xen_pcibk_enable_msi(struct xen_pcib
 			 struct pci_dev *dev, struct xen_pci_op *op)
 {
 	struct xen_pcibk_dev_data *dev_data;
-	int otherend = pdev->xdev->otherend_id;
 	int status;
 
 	if (unlikely(verbose_request))
@@ -144,8 +143,9 @@ int xen_pcibk_enable_msi(struct xen_pcib
 	status = pci_enable_msi(dev);
 
 	if (status) {
-		printk(KERN_ERR "error enable msi for guest %x status %x\n",
-			otherend, status);
+		pr_warn_ratelimited(DRV_NAME ": %s: error enabling MSI for guest %u: err %d\n",
+				    pci_name(dev), pdev->xdev->otherend_id,
+				    status);
 		op->value = 0;
 		return XEN_PCI_ERR_op_failed;
 	}
@@ -223,10 +223,10 @@ int xen_pcibk_enable_msix(struct xen_pci
 						pci_name(dev), i,
 						op->msix_entries[i].vector);
 		}
-	} else {
-		printk(KERN_WARNING DRV_NAME ": %s: failed to enable MSI-X: err %d!\n",
-			pci_name(dev), result);
-	}
+	} else
+		pr_warn_ratelimited(DRV_NAME ": %s: error enabling MSI-X for guest %u: err %d!\n",
+				    pci_name(dev), pdev->xdev->otherend_id,
+				    result);
 	kfree(entries);
 
 	op->value = result;

[-- Attachment #4: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-02-22 15:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <E1U2iMn-0008As-4b@xenbits.xen.org>
2013-02-22 14:17 ` Xen Security Advisory 43 (CVE-2013-0231) - Linux pciback DoS via not rate limited log messages Jan Beulich
2013-02-22 15:44   ` Konrad Rzeszutek Wilk
2013-02-05 13:15 Xen.org security team

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.