From: "Michael S. Tsirkin" <mst@redhat.com>
To: Ian Campbell <ian.campbell@citrix.com>
Cc: Andrew Cooper <Andrew.Cooper3@citrix.com>,
xen-devel@lists.xensource.com, pmatouse@redhat.com,
qemu-devel@nongnu.org,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Subject: Re: [Qemu-devel] [Xen-devel] [PATCH][XSA-126] xen: limit guest control of PCI command register
Date: Wed, 1 Apr 2015 12:12:06 +0200 [thread overview]
Message-ID: <20150401120424-mutt-send-email-mst@redhat.com> (raw)
In-Reply-To: <1427881845.2115.263.camel@citrix.com>
On Wed, Apr 01, 2015 at 10:50:45AM +0100, Ian Campbell wrote:
> On Wed, 2015-04-01 at 10:20 +0100, Stefano Stabellini wrote:
> > CC'ing the author of the patch and xen-devel.
>
> Adding Andy C who I think knows about this stuff.
>
> > FYI I think that Jan is going to be on vacation for a couple of weeks.
> >
> > On Wed, 1 Apr 2015, Michael S. Tsirkin wrote:
> > > On Tue, Mar 31, 2015 at 03:18:03PM +0100, Stefano Stabellini wrote:
> > > > From: Jan Beulich <jbeulich@suse.com>
> > > >
> > > > Otherwise the guest can abuse that control to cause e.g. PCIe
> > > > Unsupported Request responses (by disabling memory and/or I/O decoding
> > > > and subsequently causing [CPU side] accesses to the respective address
> > > > ranges), which (depending on system configuration) may be fatal to the
> > > > host.
> > > >
> > > > This is CVE-2015-2756 / XSA-126.
> > > >
> > > > Signed-off-by: Jan Beulich <jbeulich@suse.com>
> > > > Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
> > > > Acked-by: Ian Campbell <ian.campbell@citrix.com>
> > >
> > > The patch description seems somewhat incorrect to me.
> > > UR should not be fatal to the system, and it's not platform
> > > specific.
> >
> > I think that people have been able to repro this, but I'll let Jan
> > comment on it.
>
> XSA-126 says:
>
> In the event that the platform surfaces aforementioned UR responses as
> Non-Maskable Interrupts,
> and either the OS is configured to treat NMIs
> as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat
> these errors as fatal, the host would crash, leading to a Denial of
> Service.
>
> AIUI from the discussions on security@ (perhaps in the context of -120
> rather than this) using ACPI APEI in this way is the norm. Andy?
The implementation note at the bottom explains when this
happens I think: it's when you are using a 1.0a function
(which is pretty old - 1.1 went out 10 years ago)
and enable UR reporting in the AER register.
It sounds quite reasonable to detect such hardware and disable UR
reporting, even though APEI tells you AER is supported.
>
> > > Here's the description from pci express spec:
> > >
> > > IMPLEMENTATION NOTE
> > > Software UR Reporting Compatibility with 1.0a Devices
> > >
> > > With 1.0a device Functions, 96 if the Unsupported Request Reporting Enable bit is set, the Function
> > > when operating as a Completer will send an uncorrectable error Message (if enabled) when a UR
> > > error is detected. On platforms where an uncorrectable error Message is handled as a System Error,
> > > this will break PC-compatible Configuration Space probing, so software/firmware on such
> > > platforms may need to avoid setting the Unsupported Request Reporting Enable bit.
> > > With device Functions implementing Role-Based Error Reporting, setting the Unsupported Request
> > > Reporting Enable bit will not interfere with PC-compatible Configuration Space probing, assuming
> > > that the severity for UR is left at its default of non-fatal. However, setting the Unsupported Request
> > > Reporting Enable bit will enable the Function to report UR errors detected with posted Requests,
> > > helping avoid this case for potential silent data corruption.
> > > On platforms where robust error handling and PC-compatible Configuration Space probing is
> > > required, it is suggested that software or firmware have the Unsupported Request Reporting Enable
> > > bit Set for Role-Based Error Reporting Functions, but clear for 1.0a Functions. Software or
> > > firmware can distinguish the two classes of Functions by examining the Role-Based Error Reporting
> > > bit in the Device Capabilities register.
> > >
> > >
> > > What I think you have is a very old 1.0a system, and host set Unsupported
> > > Request Reporting Enable.
> > >
> > > The right thing is for host kernel
>
> I think part of the problem is that its not the host kernel acting as
> "Completer" here, but rather the host firmware, which we do not control.
> I think Andy can probably confirm or deny this.
>
> Ian.
No, the Completer is the assigned device.
Host firmware configures whether uncorrectable error Message generates
NMIs, but it's not the one that configures Unsupported Request Reporting
Enable - host OS does this.
--
MST
next prev parent reply other threads:[~2015-04-01 10:12 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-31 14:18 [Qemu-devel] [PATCH][XSA-126] xen: limit guest control of PCI command register Stefano Stabellini
2015-04-01 9:01 ` Michael S. Tsirkin
2015-04-01 9:20 ` Stefano Stabellini
2015-04-01 9:32 ` Michael S. Tsirkin
2015-04-01 9:41 ` [Qemu-devel] [Xen-devel] " Andrew Cooper
2015-04-01 9:59 ` Michael S. Tsirkin
2015-04-13 8:17 ` Jan Beulich
2015-04-13 11:19 ` Michael S. Tsirkin
2015-04-13 11:34 ` Jan Beulich
2015-04-13 11:47 ` Michael S. Tsirkin
2015-04-13 12:40 ` Jan Beulich
2015-04-13 12:47 ` Michael S. Tsirkin
2015-04-13 12:51 ` Jan Beulich
2015-04-20 13:43 ` Michael S. Tsirkin
2015-04-20 14:08 ` Jan Beulich
2015-04-20 14:32 ` Michael S. Tsirkin
2015-04-20 14:57 ` Jan Beulich
2015-06-07 6:23 ` Michael S. Tsirkin
2015-06-08 7:42 ` Jan Beulich
2015-06-08 8:09 ` Malcolm Crossley
2015-06-08 8:59 ` Michael S. Tsirkin
2015-06-08 9:03 ` Jan Beulich
2015-06-08 9:36 ` Michael S. Tsirkin
2015-06-08 10:55 ` Jan Beulich
2015-06-08 11:28 ` Michael S. Tsirkin
2015-06-08 11:44 ` Jan Beulich
2015-06-10 7:00 ` Jan Beulich
2015-06-10 11:43 ` Michael S. Tsirkin
2015-06-10 12:06 ` Jan Beulich
2015-06-10 13:35 ` Michael S. Tsirkin
2015-06-08 9:30 ` Michael S. Tsirkin
2015-06-08 10:38 ` Jan Beulich
2015-06-10 7:08 ` Jan Beulich
2015-06-10 11:46 ` Michael S. Tsirkin
2015-06-10 12:10 ` Jan Beulich
2015-04-01 9:50 ` Ian Campbell
2015-04-01 10:12 ` Michael S. Tsirkin [this message]
2015-04-09 18:10 ` [Qemu-devel] " Peter Maydell
2015-04-10 11:45 ` Peter Maydell
2015-04-10 11:49 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150401120424-mutt-send-email-mst@redhat.com \
--to=mst@redhat.com \
--cc=Andrew.Cooper3@citrix.com \
--cc=ian.campbell@citrix.com \
--cc=pmatouse@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).