From: Xen.org security team <security@xen.org>
To: xen-devel@lists.xenproject.org, yqcheng.2008@phdis.smu.edu.sg,
zhangzhi2022@hotmail.com, junqing@pku.edu.cn
Cc: "Xen.org security team" <security@xen.org>
Subject: DRAFT XSA 78 - Insufficient TLB flushing in VT-d (iommu) code
Date: Wed, 20 Nov 2013 16:36:49 +0000 [thread overview]
Message-ID: <E1VjAlk-00054R-Tm@xenbits.xen.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 1275 bytes --]
***** DRAFT DRAFT DRAFT *****
Xen Security Advisory XSA-78
Insufficient TLB flushing in VT-d (iommu) code
ISSUE DESCRIPTION
=================
An inverted boolean parameter resulted in TLB flushes not happening
upon clearing of a present translation table entry. Retaining stale
TLB entries could allow guests access to memory that ought to have
been revoked, or grant greater access than intended.
IMPACT
======
Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.
VULNERABLE SYSTEMS
==================
Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.
Only systems using Intel VT-d for PCI passthrough are vulnerable.
MITIGATION
==========
This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.
NOTE REGARDING LACK OF EMBARGO
==============================
This issue was disclosed publicly on the xen-devel mailing list.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable
$ sha256sum xsa78*.patch
2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e xsa78.patch
$
[-- Attachment #2: xsa78.patch --]
[-- Type: application/octet-stream, Size: 872 bytes --]
VT-d: fix TLB flushing in dma_pte_clear_one()
The third parameter of __intel_iommu_iotlb_flush() is to indicate
whether the to be flushed entry was a present one. A few lines before,
we bailed if !dma_pte_present(*pte), so there's no need to check the
flag here again - we can simply always pass TRUE here.
This is XSA-78.
Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom
iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
if ( !this_cpu(iommu_dont_flush_iotlb) )
- __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1);
+ __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1);
unmap_vtd_domain_page(page);
[-- Attachment #3: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
reply other threads:[~2013-11-20 16:37 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1VjAlk-00054R-Tm@xenbits.xen.org \
--to=security@xen.org \
--cc=junqing@pku.edu.cn \
--cc=xen-devel@lists.xenproject.org \
--cc=yqcheng.2008@phdis.smu.edu.sg \
--cc=zhangzhi2022@hotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).