From: Joanna Rutkowska <joanna@invisiblethingslab.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: xen-devel@lists.xensource.com
Subject: Re: Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
Date: Fri, 13 May 2011 19:32:02 +0200 [thread overview]
Message-ID: <4DCD6B12.8040700@invisiblethingslab.com> (raw)
In-Reply-To: <19915.58644.191837.671729@mariner.uk.xensource.com>
[-- Attachment #1.1: Type: text/plain, Size: 4914 bytes --]
Our paper describing the attacks can be now downloaded from here:
http://www.invisiblethingslab.com/itl/Resources.html
(Sorry the actual link contains spaces and would likely by unclickable
if I pasted it here).
Cheers,
joanna.
On 05/12/11 15:48, Ian Jackson wrote:
> Xen security advisory CVE-2011-1898
> VT-d (PCI passthrough) MSI trap injection
>
> ISSUE DESCRIPTION
> =================
>
> Intel VT-d chipsets without interrupt remapping do not prevent a guest
> which owns a PCI device from using DMA to generate MSI interrupts by
> writing to the interrupt injection registers. This can be exploited
> to inject traps and gain control of the host.
>
>
> VULNERABLE SYSTEMS
> ==================
>
> You are not vulnerable if you do not use "PCI passthrough". That is,
> if you do not pass actual PCI devices (eg, graphics and network
> controllers) through to guests, for use by PCI device drivers in the
> guest.
>
> In Xen with xend/xm or with xl this would be enabled by the "pci="
> option in the domain config file, or by using the "xl pci-attach" or
> "xm pci-attach" management command; if you do not use these features,
> you are not vulnerable.
>
> You are not vulnerable if you are using PCI passthrough, but are not
> using Intel VT-d or AMD-Vi (aka "iommu") to attempt to prevent escape
> by guest DMA. This is because in such a configuration, privilege
> escalation and denial of service are possible by guests anyway, and
> the present issue does not make the situation any worse.
>
> You are vulnerable if you use Intel VT-d to pass PCI devices through
> to untrusted guests, unless your have interrupt remapping supported
> and enabled. This is the case whether you are using Xen, KVM, or
> another virtualisation system.
>
> Interrupt remapping is available in newer Intel VT-d chipsets.
>
>
> IMPACT
> ======
>
> A guest given a PCI passthrough device can escalate its privilege and
> gain control of the whole system.
>
>
> MITIGATION AND RESOLUTION
> =========================
>
> No complete software fix is available but we understand that Intel has
> addressed this issue with newer hardware.
>
> We believe a patch along the lines of the one attached can be applied
> to Xen to reduce the impact to a denial of service. Even with such a
> patch, a guest can still cause a complete system crash or resource
> starvation.
>
> Upgrading to recent hardware that is interrupt remapping capable will
> resolve the remaining denial of service issues. Support for interrupt
> remapping, when the hardware is capable, is present in all currently
> maintained versions of Xen.
>
> On such recent hardware, when passing pci devices through to untrusted
> guests, we recommend the use of the "iommu=required" Xen command line
> boot option and the second atttached patch, to avoid unknowingly
> booting into a vulnerable configuration.
>
>
> REFERENCES
> ==========
>
> Thanks to Rafal Wojtczuk and Joanna Rutkowska of Invisible Things Lab
> for bringing this issue to our attention. Their paper on the attack
> will soon be available from Invisible Things Lab, at
> www.invisiblethingslab.com.
>
> Information regarding chipset versions and interrupt remapping support
> should be available from Intel; please use your usual support and
> security response channels at Intel.
>
> We believe that this vulnerability exists with all virtualisation
> systems which aim to support passing pci devices through to
> untrusted guests, on the affected Intel hardware. If you are using
> a hypervisor other than Xen please refer to your hypervisor's usual
> security support and advisory release channels.
>
>
> PATCHES
> =======
>
> The first patch is intended to reduce the impact from full privilege
> escalation to denial of service.
> Filename: 00-block-msis-on-trap-vectors
> SHA1: 0fcc1914714c228e98b3e84597e06cb5de09003c
> SHA256: 998e8d5632ee6ad92f52796fe94923f9c38096c5adf2ca74209a6792436ea1e9
>
> The second patch is intended to ensure that when Xen boots with
> "iommu=required" it will also insist that interrupt remapping is
> supported and enabled. It arranges that booting with that option on
> vulnerable hardware will fail, rather than appearing to succeed but
> actually being vulnerable to guests.
> Filename: intremap05033.patch
> SHA1: 1cd26adc5ead0c07b67bf354f03164235d67395c
> SHA256: 7f8c7d95d33bbd5c4f25671b380e70020fda1ba6cb50b67e59131fa8e59c1c66
>
> Unfortunately we have not been able to test either patch. Both will
> be applied to xen-unstable very soon. We also intend to provide
> backports in the supported released Xen trees.
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 518 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next prev parent reply other threads:[~2011-05-13 17:32 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-12 13:48 Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI Ian Jackson
2011-05-12 13:49 ` Ian Jackson
2011-05-13 8:08 ` Jan Beulich
2011-05-13 11:08 ` Joanna Rutkowska
2011-05-13 11:11 ` Ian Campbell
2011-05-13 11:20 ` Joanna Rutkowska
2011-05-13 12:34 ` Jan Beulich
2011-05-13 12:29 ` Jan Beulich
2011-05-13 12:50 ` Tim Deegan
2011-05-13 10:25 ` Ian Campbell
2011-05-16 21:34 ` Cihula, Joseph
2011-05-18 8:53 ` Ian Campbell
2011-05-18 10:03 ` Keir Fraser
2011-05-18 10:06 ` Ian Campbell
2011-05-13 17:32 ` Joanna Rutkowska [this message]
2011-05-13 17:35 ` Joanna Rutkowska
-- strict thread matches above, loose matches on Subject: below --
2011-05-17 7:42 Jan Beulich
2011-05-17 22:52 ` Cihula, Joseph
2011-05-18 8:54 ` Ian Campbell
2011-05-19 20:48 ` Cihula, Joseph
2011-05-20 10:17 ` Tim Deegan
2011-05-20 16:02 ` Cihula, Joseph
2011-05-22 18:14 ` Tim Deegan
2011-05-23 21:35 ` Cihula, Joseph
2011-05-24 9:03 ` Tim Deegan
2011-05-24 16:56 ` Ian Jackson
2011-05-24 19:23 ` Cihula, Joseph
2011-05-25 10:46 ` Alan Cox
2011-05-20 17:19 ` Ian Jackson
2011-05-22 18:15 ` Tim Deegan
2011-05-23 9:02 ` Ian Campbell
2011-05-24 15:15 ` Ian Jackson
2011-05-24 15:57 ` Keir Fraser
2011-05-24 16:16 ` Ian Pratt
2011-05-24 17:14 ` Ian Jackson
2011-05-24 19:35 ` Cihula, Joseph
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DCD6B12.8040700@invisiblethingslab.com \
--to=joanna@invisiblethingslab.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).