From mboxrd@z Thu Jan  1 00:00:00 1970
From: Xen.org security team <security@xen.org>
Subject: DRAFT XSA 78 - Insufficient TLB flushing in VT-d
	(iommu) code
Date: Wed, 20 Nov 2013 16:36:49 +0000
Message-ID: <E1VjAlk-00054R-Tm@xenbits.xen.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=separator"; charset="utf-8"
Content-Transfer-Encoding: binary
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <iwj@xenbits.xen.org>) id 1VjAlw-00084L-C0
	for xen-devel@lists.xenproject.org; Wed, 20 Nov 2013 16:37:00 +0000
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel@lists.xenproject.org, yqcheng.2008@phdis.smu.edu.sg, zhangzhi2022@hotmail.com, junqing@pku.edu.cn
Cc: "Xen.org security team" <security@xen.org>
List-Id: xen-devel@lists.xenproject.org


--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

***** DRAFT DRAFT DRAFT *****

                    Xen Security Advisory XSA-78

           Insufficient TLB flushing in VT-d (iommu) code

ISSUE DESCRIPTION
=================

An inverted boolean parameter resulted in TLB flushes not happening
upon clearing of a present translation table entry.  Retaining stale
TLB entries could allow guests access to memory that ought to have
been revoked, or grant greater access than intended.

IMPACT
======

Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

Only systems using Intel VT-d for PCI passthrough are vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was disclosed publicly on the xen-devel mailing list.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa78.patch        Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa78*.patch
2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e  xsa78.patch
$

--=separator
Content-Type: application/octet-stream; name="xsa78.patch"
Content-Disposition: attachment; filename="xsa78.patch"
Content-Transfer-Encoding: base64

VlQtZDogZml4IFRMQiBmbHVzaGluZyBpbiBkbWFfcHRlX2NsZWFyX29uZSgp
CgpUaGUgdGhpcmQgcGFyYW1ldGVyIG9mIF9faW50ZWxfaW9tbXVfaW90bGJf
Zmx1c2goKSBpcyB0byBpbmRpY2F0ZQp3aGV0aGVyIHRoZSB0byBiZSBmbHVz
aGVkIGVudHJ5IHdhcyBhIHByZXNlbnQgb25lLiBBIGZldyBsaW5lcyBiZWZv
cmUsCndlIGJhaWxlZCBpZiAhZG1hX3B0ZV9wcmVzZW50KCpwdGUpLCBzbyB0
aGVyZSdzIG5vIG5lZWQgdG8gY2hlY2sgdGhlCmZsYWcgaGVyZSBhZ2FpbiAt
IHdlIGNhbiBzaW1wbHkgYWx3YXlzIHBhc3MgVFJVRSBoZXJlLgoKVGhpcyBp
cyBYU0EtNzguCgpTdWdnZXN0ZWQtYnk6IENoZW5nIFl1ZXFpYW5nIDx5cWNo
ZW5nLjIwMDhAcGhkaXMuc211LmVkdS5zZz4KU2lnbmVkLW9mZi1ieTogSmFu
IEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgoKLS0tIGEveGVuL2RyaXZl
cnMvcGFzc3Rocm91Z2gvdnRkL2lvbW11LmMKKysrIGIveGVuL2RyaXZlcnMv
cGFzc3Rocm91Z2gvdnRkL2lvbW11LmMKQEAgLTY0Niw3ICs2NDYsNyBAQCBz
dGF0aWMgdm9pZCBkbWFfcHRlX2NsZWFyX29uZShzdHJ1Y3QgZG9tCiAgICAg
aW9tbXVfZmx1c2hfY2FjaGVfZW50cnkocHRlLCBzaXplb2Yoc3RydWN0IGRt
YV9wdGUpKTsKIAogICAgIGlmICggIXRoaXNfY3B1KGlvbW11X2RvbnRfZmx1
c2hfaW90bGIpICkKLSAgICAgICAgX19pbnRlbF9pb21tdV9pb3RsYl9mbHVz
aChkb21haW4sIGFkZHIgPj4gUEFHRV9TSElGVF80SyAsIDAsIDEpOworICAg
ICAgICBfX2ludGVsX2lvbW11X2lvdGxiX2ZsdXNoKGRvbWFpbiwgYWRkciA+
PiBQQUdFX1NISUZUXzRLLCAxLCAxKTsKIAogICAgIHVubWFwX3Z0ZF9kb21h
aW5fcGFnZShwYWdlKTsKIAo=

--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--=separator--