Bug 1196266 (CVE-2015-2150, CVE-2015-8553, xsa120)

Summary: CVE-2015-2150 CVE-2015-8553 xen: non-maskable interrupts triggerable by guests (xsa120)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, drjones, imammedo, mrezanin, pbonzini, pmatouse, rkrcmar, security-response-team, vkuznets
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-26 13:43:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1200397, 1292439    
Bug Blocks: 1196269    
Attachments:
Description Flags
xsa120.patch
none
xsa120-addendum.patch
none
xsa120-classic-addendum.patch none

Description Vasyl Kaigorodov 2015-02-25 15:39:37 UTC 
ISSUE DESCRIPTION
=================

Guests are currently permitted to modify all of the (writable) bits in
the PCI command register of devices passed through to them. This in
particular allows them to disable memory and I/O decoding on the
device unless the device is an SR-IOV virtual function, in which case
subsequent accesses to the respective MMIO or I/O port ranges would
- - on PCI Express devices - lead to Unsupported Request responses. The
treatmeant of such errors is platform specific.

IMPACT
======

In the event that the platform surfaces aforementioned UR responses as
Non-Maskable Interrupts, and either the OS is configured to treat NMIs
as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat
these errors as fatal, the host would crash, leading to a Denial of
Service.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through. Upstream Linux versions 3.1 and onwards are vulnerable
due to supporting PCI backend functionality. Other Linux versions as
well as other OS versions may be vulnerable too.

Any domain which is given access to a non-SR-IOV virtual function PCI
Express device can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI Express devices other
than SR-IOV virtual functions to untrusted guests.

RESOLUTION
==========

Applying the attached patch resolves this issue for upstream Linux.

xsa120.patch Linux 3.19

$ sha256sum xsa120*.patch
5167215293d4a8a05f090fca5b20eb5878213a0158a0e7a12c245553db81a855 xsa120.patch
Comment 1 Vasyl Kaigorodov 2015-02-25 15:42:04 UTC 
Created attachment 995253 [details]
xsa120.patch
Comment 3 Petr Matousek 2015-02-26 13:43:36 UTC 
Statement:

This issue does affect the Dom0 Xen kernel as shipped with Red Hat Enterprise Linux 5.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 5 Martin Prpič 2015-03-10 13:35:31 UTC 
External References:

http://xenbits.xen.org/xsa/advisory-120.html
Comment 6 Martin Prpič 2015-03-10 13:36:44 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1200397]
Comment 7 Martin Prpič 2015-04-01 08:02:18 UTC 
An update on this issue from Xen:

The original patches were incomplete: although they eliminated the
possibility that the guest might disable memory and I/O decoding, they
did not ensure that these bits were set at start of day. The result
was that a malicious guest could simply avoid enabling them and
continue to exploit the vulnerability.

Well behaved guests would normally enable decoding and therefore would
not normally suffer a regression.

Additional patches are now supplied to resolve this issue.
Comment 8 Martin Prpič 2015-04-01 08:03:01 UTC 
Created attachment 1009512 [details]
xsa120-addendum.patch
Comment 9 Martin Prpič 2015-04-01 08:03:28 UTC 
Created attachment 1009513 [details]
xsa120-classic-addendum.patch
Comment 10 Martin Prpič 2015-12-17 13:12:29 UTC 
A second CVE has been assigned to this issue per:

http://xenbits.xen.org/xsa/advisory-157.html
Comment 11 Martin Prpič 2015-12-17 13:14:58 UTC 
From the updated XSA-120:

"UPDATES IN VERSION 5
====================

The original patches were incomplete: although they eliminated the
possibility that the guest might disable memory and I/O decoding, they
did not ensure that these bits were set at start of day.  The result
was that a malicious guest could simply avoid enabling them and
continue to exploit the vulnerability.

Well behaved guests would normally enable decoding and therefore would
not normally suffer a regression.

Additional patches are now supplied to resolve this issue."
Comment 12 Martin Prpič 2015-12-17 13:16:06 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1292439]