* DRAFT XSA 78 - Insufficient TLB flushing in VT-d (iommu) code
@ 2013-11-20 16:36 Xen.org security team
0 siblings, 0 replies; only message in thread
From: Xen.org security team @ 2013-11-20 16:36 UTC (permalink / raw)
To: xen-devel, yqcheng.2008, zhangzhi2022, junqing; +Cc: Xen.org security team
[-- Attachment #1: Type: text/plain, Size: 1275 bytes --]
***** DRAFT DRAFT DRAFT *****
Xen Security Advisory XSA-78
Insufficient TLB flushing in VT-d (iommu) code
ISSUE DESCRIPTION
=================
An inverted boolean parameter resulted in TLB flushes not happening
upon clearing of a present translation table entry. Retaining stale
TLB entries could allow guests access to memory that ought to have
been revoked, or grant greater access than intended.
IMPACT
======
Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.
VULNERABLE SYSTEMS
==================
Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.
Only systems using Intel VT-d for PCI passthrough are vulnerable.
MITIGATION
==========
This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.
NOTE REGARDING LACK OF EMBARGO
==============================
This issue was disclosed publicly on the xen-devel mailing list.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable
$ sha256sum xsa78*.patch
2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e xsa78.patch
$
[-- Attachment #2: xsa78.patch --]
[-- Type: application/octet-stream, Size: 872 bytes --]
VT-d: fix TLB flushing in dma_pte_clear_one()
The third parameter of __intel_iommu_iotlb_flush() is to indicate
whether the to be flushed entry was a present one. A few lines before,
we bailed if !dma_pte_present(*pte), so there's no need to check the
flag here again - we can simply always pass TRUE here.
This is XSA-78.
Suggested-by: Cheng Yueqiang <yqcheng.2008@phdis.smu.edu.sg>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom
iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
if ( !this_cpu(iommu_dont_flush_iotlb) )
- __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1);
+ __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1);
unmap_vtd_domain_page(page);
[-- Attachment #3: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-11-20 16:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-20 16:36 DRAFT XSA 78 - Insufficient TLB flushing in VT-d (iommu) code Xen.org security team
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).