From: Joanna Rutkowska <joanna@invisiblethingslab.com>
To: Jan Beulich <JBeulich@novell.com>
Cc: Keir Fraser <keir@xen.org>,
xen-devel@lists.xensource.com,
Ian Jackson <Ian.Jackson@eu.citrix.com>
Subject: Re: Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
Date: Fri, 13 May 2011 13:08:16 +0200 [thread overview]
Message-ID: <4DCD1120.5020606@invisiblethingslab.com> (raw)
In-Reply-To: <4DCD030902000078000412C8@vpn.id2.novell.com>
[-- Attachment #1.1: Type: text/plain, Size: 2213 bytes --]
On 05/13/11 10:08, Jan Beulich wrote:
>>>> On 12.05.11 at 15:48, Ian Jackson <Ian.Jackson@eu.citrix.com> wrote:
>> Intel VT-d chipsets without interrupt remapping do not prevent a guest
>> which owns a PCI device from using DMA to generate MSI interrupts by
>> writing to the interrupt injection registers. This can be exploited
>> to inject traps and gain control of the host.
>
> Isn't that (or at least can't that be) prevented with DMA remapping?
>
No. That's sort of the key point here, and the reason why IR hardware is
required.
>> The first patch is intended to reduce the impact from full privilege
>> escalation to denial of service.
>> Filename: 00-block-msis-on-trap-vectors
>> SHA1: 0fcc1914714c228e98b3e84597e06cb5de09003c
>> SHA256: 998e8d5632ee6ad92f52796fe94923f9c38096c5adf2ca74209a6792436ea1e9
>
> You modify only 64-bit and only VT-d code here. While I know you
> don't care much for it, doing the same for 32-bit would seem trivial.
>
> As to AMD's IOMMU, it may well be that interrupt re-mapping isn't
> optional in the hardware (albeit it can be disabled on the command
> line, though that's the admin's security risk then), but the code
> having BUG_ON()s on failed allocations and those allocations
> happening in table parsing callbacks doesn't really make this
> explicit (for me at least) on the first glance.
>
> Finally, wouldn't killing all guests that potentially could have caused
> the problem be a better measure than bringing down the host?
>
Killing the guest might no longer be enough, because the guest might
have already programmed the device to keep sending malicious MSIs. So,
panic()ing the whole VMM seems like a safer choice. Keep in mind that on
a non-IR hardware there are probably many other ways for the malicious
driver domain to cause global DoS. (In fact, my impression is that most
people regarded IR as an anti-DoS mechanism, and I believe our paper is
the first to show that the problems were far worse than possible DoS.)
joanna.
> Jan
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 518 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next prev parent reply other threads:[~2011-05-13 11:08 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-12 13:48 Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI Ian Jackson
2011-05-12 13:49 ` Ian Jackson
2011-05-13 8:08 ` Jan Beulich
2011-05-13 11:08 ` Joanna Rutkowska [this message]
2011-05-13 11:11 ` Ian Campbell
2011-05-13 11:20 ` Joanna Rutkowska
2011-05-13 12:34 ` Jan Beulich
2011-05-13 12:29 ` Jan Beulich
2011-05-13 12:50 ` Tim Deegan
2011-05-13 10:25 ` Ian Campbell
2011-05-16 21:34 ` Cihula, Joseph
2011-05-18 8:53 ` Ian Campbell
2011-05-18 10:03 ` Keir Fraser
2011-05-18 10:06 ` Ian Campbell
2011-05-13 17:32 ` Joanna Rutkowska
2011-05-13 17:35 ` Joanna Rutkowska
-- strict thread matches above, loose matches on Subject: below --
2011-05-17 7:42 Jan Beulich
2011-05-17 22:52 ` Cihula, Joseph
2011-05-18 8:54 ` Ian Campbell
2011-05-19 20:48 ` Cihula, Joseph
2011-05-20 10:17 ` Tim Deegan
2011-05-20 16:02 ` Cihula, Joseph
2011-05-22 18:14 ` Tim Deegan
2011-05-23 21:35 ` Cihula, Joseph
2011-05-24 9:03 ` Tim Deegan
2011-05-24 16:56 ` Ian Jackson
2011-05-24 19:23 ` Cihula, Joseph
2011-05-25 10:46 ` Alan Cox
2011-05-20 17:19 ` Ian Jackson
2011-05-22 18:15 ` Tim Deegan
2011-05-23 9:02 ` Ian Campbell
2011-05-24 15:15 ` Ian Jackson
2011-05-24 15:57 ` Keir Fraser
2011-05-24 16:16 ` Ian Pratt
2011-05-24 17:14 ` Ian Jackson
2011-05-24 19:35 ` Cihula, Joseph
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DCD1120.5020606@invisiblethingslab.com \
--to=joanna@invisiblethingslab.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@novell.com \
--cc=keir@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).