From: Joanna Rutkowska <joanna@invisiblethingslab.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: xen-devel@lists.xensource.com
Subject: Re: Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
Date: Fri, 13 May 2011 19:32:02 +0200 [thread overview]
Message-ID: <4DCD6B12.8040700@invisiblethingslab.com> (raw)
In-Reply-To: <19915.58644.191837.671729@mariner.uk.xensource.com>
[-- Attachment #1.1: Type: text/plain, Size: 4914 bytes --]
Our paper describing the attacks can be now downloaded from here:
http://www.invisiblethingslab.com/itl/Resources.html
(Sorry the actual link contains spaces and would likely by unclickable
if I pasted it here).
Cheers,
joanna.
On 05/12/11 15:48, Ian Jackson wrote:
> Xen security advisory CVE-2011-1898
> VT-d (PCI passthrough) MSI trap injection
>
> ISSUE DESCRIPTION
> =================
>
> Intel VT-d chipsets without interrupt remapping do not prevent a guest
> which owns a PCI device from using DMA to generate MSI interrupts by
> writing to the interrupt injection registers. This can be exploited
> to inject traps and gain control of the host.
>
>
> VULNERABLE SYSTEMS
> ==================
>
> You are not vulnerable if you do not use "PCI passthrough". That is,
> if you do not pass actual PCI devices (eg, graphics and network
> controllers) through to guests, for use by PCI device drivers in the
> guest.
>
> In Xen with xend/xm or with xl this would be enabled by the "pci="
> option in the domain config file, or by using the "xl pci-attach" or
> "xm pci-attach" management command; if you do not use these features,
> you are not vulnerable.
>
> You are not vulnerable if you are using PCI passthrough, but are not
> using Intel VT-d or AMD-Vi (aka "iommu") to attempt to prevent escape
> by guest DMA. This is because in such a configuration, privilege
> escalation and denial of service are possible by guests anyway, and
> the present issue does not make the situation any worse.
>
> You are vulnerable if you use Intel VT-d to pass PCI devices through
> to untrusted guests, unless your have interrupt remapping supported
> and enabled. This is the case whether you are using Xen, KVM, or
> another virtualisation system.
>
> Interrupt remapping is available in newer Intel VT-d chipsets.
>
>
> IMPACT
> ======
>
> A guest given a PCI passthrough device can escalate its privilege and
> gain control of the whole system.
>
>
> MITIGATION AND RESOLUTION
> =========================
>
> No complete software fix is available but we understand that Intel has
> addressed this issue with newer hardware.
>
> We believe a patch along the lines of the one attached can be applied
> to Xen to reduce the impact to a denial of service. Even with such a
> patch, a guest can still cause a complete system crash or resource
> starvation.
>
> Upgrading to recent hardware that is interrupt remapping capable will
> resolve the remaining denial of service issues. Support for interrupt
> remapping, when the hardware is capable, is present in all currently
> maintained versions of Xen.
>
> On such recent hardware, when passing pci devices through to untrusted
> guests, we recommend the use of the "iommu=required" Xen command line
> boot option and the second atttached patch, to avoid unknowingly
> booting into a vulnerable configuration.
>
>
> REFERENCES
> ==========
>
> Thanks to Rafal Wojtczuk and Joanna Rutkowska of Invisible Things Lab
> for bringing this issue to our attention. Their paper on the attack
> will soon be available from Invisible Things Lab, at
> www.invisiblethingslab.com.
>
> Information regarding chipset versions and interrupt remapping support
> should be available from Intel; please use your usual support and
> security response channels at Intel.
>
> We believe that this vulnerability exists with all virtualisation
> systems which aim to support passing pci devices through to
> untrusted guests, on the affected Intel hardware. If you are using
> a hypervisor other than Xen please refer to your hypervisor's usual
> security support and advisory release channels.
>
>
> PATCHES
> =======
>
> The first patch is intended to reduce the impact from full privilege
> escalation to denial of service.
> Filename: 00-block-msis-on-trap-vectors
> SHA1: 0fcc1914714c228e98b3e84597e06cb5de09003c
> SHA256: 998e8d5632ee6ad92f52796fe94923f9c38096c5adf2ca74209a6792436ea1e9
>
> The second patch is intended to ensure that when Xen boots with
> "iommu=required" it will also insist that interrupt remapping is
> supported and enabled. It arranges that booting with that option on
> vulnerable hardware will fail, rather than appearing to succeed but
> actually being vulnerable to guests.
> Filename: intremap05033.patch
> SHA1: 1cd26adc5ead0c07b67bf354f03164235d67395c
> SHA256: 7f8c7d95d33bbd5c4f25671b380e70020fda1ba6cb50b67e59131fa8e59c1c66
>
> Unfortunately we have not been able to test either patch. Both will
> be applied to xen-unstable very soon. We also intend to provide
> backports in the supported released Xen trees.
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 518 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next prev parent reply other threads:[~2011-05-13 17:32 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-12 13:48 Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI Ian Jackson
2011-05-12 13:49 ` Ian Jackson
2011-05-13 8:08 ` Jan Beulich
2011-05-13 11:08 ` Joanna Rutkowska
2011-05-13 11:11 ` Ian Campbell
2011-05-13 11:20 ` Joanna Rutkowska
2011-05-13 12:34 ` Jan Beulich
2011-05-13 12:29 ` Jan Beulich
2011-05-13 12:50 ` Tim Deegan
2011-05-13 10:25 ` Ian Campbell
2011-05-16 21:34 ` Cihula, Joseph
2011-05-18 8:53 ` Ian Campbell
2011-05-18 10:03 ` Keir Fraser
2011-05-18 10:06 ` Ian Campbell
2011-05-13 17:32 ` Joanna Rutkowska [this message]
2011-05-13 17:35 ` Joanna Rutkowska
-- strict thread matches above, loose matches on Subject: below --
2011-05-17 7:42 Jan Beulich
2011-05-17 22:52 ` Cihula, Joseph
2011-05-18 8:54 ` Ian Campbell
2011-05-19 20:48 ` Cihula, Joseph
2011-05-20 10:17 ` Tim Deegan
2011-05-20 16:02 ` Cihula, Joseph
2011-05-22 18:14 ` Tim Deegan
2011-05-23 21:35 ` Cihula, Joseph
2011-05-24 9:03 ` Tim Deegan
2011-05-24 16:56 ` Ian Jackson
2011-05-24 19:23 ` Cihula, Joseph
2011-05-25 10:46 ` Alan Cox
2011-05-20 17:19 ` Ian Jackson
2011-05-22 18:15 ` Tim Deegan
2011-05-23 9:02 ` Ian Campbell
2011-05-24 15:15 ` Ian Jackson
2011-05-24 15:57 ` Keir Fraser
2011-05-24 16:16 ` Ian Pratt
2011-05-24 17:14 ` Ian Jackson
2011-05-24 19:35 ` Cihula, Joseph
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DCD6B12.8040700@invisiblethingslab.com \
--to=joanna@invisiblethingslab.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.