Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Teddy Astie" <teddy.astie@vates.tech>
To: "Xen.org security team" <security@xen.org>,
	xen-announce@lists.xen.org, xen-devel@lists.xen.org,
	xen-users@lists.xen.org, oss-security@lists.openwall.com
Cc: "Xen.org security team" <security-team-members@xen.org>
Subject: Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through
Date: Thu, 27 Feb 2025 15:33:18 +0000	[thread overview]
Message-ID: <5ecf18f8-e8e9-431d-bb59-4631a598574e@vates.tech> (raw)
In-Reply-To: <E1tndOO-00CM3B-2R@xenbits.xenproject.org>

Hello,

Le 27/02/2025 à 13:57, Xen.org security team a écrit :
>              Xen Security Advisory CVE-2025-1713 / XSA-467
>
>      deadlock potential with VT-d and legacy PCI device pass-through
>
> ISSUE DESCRIPTION
> =================
>
> When setting up interrupt remapping for legacy PCI(-X) devices,
> including PCI(-X) bridges, a lookup of the upstream bridge is required.
> This lookup, itself involving acquiring of a lock, is done in a context
> where acquiring that lock is unsafe.  This can lead to a deadlock.
>
> IMPACT
> ======
>
> The passing through of certain kinds of devices to an unprivileged guest
> can result in a Denial of Service (DoS) affecting the entire host.
>
> Note: Normal usage of such devices by a privileged domain can also
>        trigger the issue.  In such a scenario, the deadlock is not
>        considered a security issue, but just a plain bug.
>
> VULNERABLE SYSTEMS
> ==================
>
> Xen versions 4.0 and later are affected.  Xen versions 3.4 and earlier
> are not directly affected, but had other issues.
>
> Systems with Intel IOMMU hardware (VT-d) are affected.  Systems using
> AMD or non-x86 hardware are not affected.
>
> Only systems where certain kinds of devices are passed through to an
> unprivileged guest are vulnerable.
>
> MITIGATION
> ==========
>
> Avoiding the passing through of the affected device types will avoid
> the vulnerability.
>

Is disabling interrupt remapping another way of mitigating this
vulnerability (e.g iommu=no-intremap) ?

> RESOLUTION
> ==========
>
> Applying the attached patch resolves this issue.
>
> Note that patches for released versions are generally prepared to
> apply to the stable branches, and may not apply cleanly to the most
> recent release tarball.  Downstreams are encouraged to update to the
> tip of the stable branch before applying these patches.
>
> xsa467.patch           xen-unstable - Xen 4.17.x
>
> $ sha256sum xsa467*
> 2fffaa8892b3daecd698b4af95701045874a76edc2e18c8d2abbec85a39aa05c  xsa467.patch
> $
>
> NOTE REGARDING LACK OF EMBARGO
> ==============================
>
> The issue was reported initially on a public bug tracker and discussed in
> public before it was realized that there was a security aspect.

Teddy


Teddy Astie | Vates XCP-ng Developer

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech

next prev parent reply	other threads:[~2025-02-27 15:33 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-27 12:53 Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Xen.org security team
2025-02-27 15:33 ` Teddy Astie [this message]
2025-02-28  2:42   ` [oss-security] " Demi Marie Obenour

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5ecf18f8-e8e9-431d-bb59-4631a598574e@vates.tech \
    --to=teddy.astie@vates.tech \
    --cc=oss-security@lists.openwall.com \
    --cc=security-team-members@xen.org \
    --cc=security@xen.org \
    --cc=xen-announce@lists.xen.org \
    --cc=xen-devel@lists.xen.org \
    --cc=xen-users@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.