From: Demi Marie Obenour <demi@invisiblethingslab.com>
To: oss-security@lists.openwall.com,
"Xen.org security team" <security@xen.org>,
xen-announce@lists.xen.org, xen-devel@lists.xen.org,
xen-users@lists.xen.org
Cc: "Xen.org security team" <security-team-members@xen.org>
Subject: Re: [oss-security] Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through
Date: Thu, 27 Feb 2025 21:42:15 -0500 [thread overview]
Message-ID: <Z8Eii3DYNDoKNNhg@itl-email> (raw)
In-Reply-To: <5ecf18f8-e8e9-431d-bb59-4631a598574e@vates.tech>
[-- Attachment #1: Type: text/plain, Size: 1971 bytes --]
On Thu, Feb 27, 2025 at 03:33:18PM +0000, Teddy Astie wrote:
> Hello,
>
> Le 27/02/2025 à 13:57, Xen.org security team a écrit :
> > Xen Security Advisory CVE-2025-1713 / XSA-467
> >
> > deadlock potential with VT-d and legacy PCI device pass-through
> >
> > ISSUE DESCRIPTION
> > =================
> >
> > When setting up interrupt remapping for legacy PCI(-X) devices,
> > including PCI(-X) bridges, a lookup of the upstream bridge is required.
> > This lookup, itself involving acquiring of a lock, is done in a context
> > where acquiring that lock is unsafe. This can lead to a deadlock.
> >
> > IMPACT
> > ======
> >
> > The passing through of certain kinds of devices to an unprivileged guest
> > can result in a Denial of Service (DoS) affecting the entire host.
> >
> > Note: Normal usage of such devices by a privileged domain can also
> > trigger the issue. In such a scenario, the deadlock is not
> > considered a security issue, but just a plain bug.
> >
> > VULNERABLE SYSTEMS
> > ==================
> >
> > Xen versions 4.0 and later are affected. Xen versions 3.4 and earlier
> > are not directly affected, but had other issues.
> >
> > Systems with Intel IOMMU hardware (VT-d) are affected. Systems using
> > AMD or non-x86 hardware are not affected.
> >
> > Only systems where certain kinds of devices are passed through to an
> > unprivileged guest are vulnerable.
> >
> > MITIGATION
> > ==========
> >
> > Avoiding the passing through of the affected device types will avoid
> > the vulnerability.
> >
>
> Is disabling interrupt remapping another way of mitigating this
> vulnerability (e.g iommu=no-intremap) ?
No, as this allows other attacks that allow denial of service at the
very least. See
https://lore.kernel.org/xen-devel/19915.58644.191837.671729@mariner.uk.xensource.com/.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2025-02-28 2:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-27 12:53 Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Xen.org security team
2025-02-27 15:33 ` Teddy Astie
2025-02-28 2:42 ` Demi Marie Obenour [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z8Eii3DYNDoKNNhg@itl-email \
--to=demi@invisiblethingslab.com \
--cc=oss-security@lists.openwall.com \
--cc=security-team-members@xen.org \
--cc=security@xen.org \
--cc=xen-announce@lists.xen.org \
--cc=xen-devel@lists.xen.org \
--cc=xen-users@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.