Bug 1203737 (CVE-2015-2756, xsa126)

Summary: CVE-2015-2756 xen: unmediated PCI command register access in qemu (xsa126)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, pmatouse, rkrcmar, security-response-team, vkuznets
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-31 15:34:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1207738    
Bug Blocks: 1203743    
Attachments:
Description Flags
qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
none
qemu-upstream-unstable, Xen 4.3.x
none
qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x none

Description Vasyl Kaigorodov 2015-03-19 14:57:47 UTC
ISSUE DESCRIPTION
=================

HVM guests are currently permitted to modify the memory and I/O decode
bits in the PCI command register of devices passed through to them.
Unless the device is an SR-IOV virtual function, subsequent accesses to
the respective MMIO or I/O port ranges would - on PCI Express devices -
lead to Unsupported Request responses. The treatment of such errors is
platform specific.

IMPACT
======

In the event that the platform surfaces aforementioned UR responses as
Non-Maskable Interrupts, and either the OS is configured to treat NMIs
as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat
these errors as fatal, the host would crash, leading to a Denial of
Service.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through.

Only x86 systems are vulnerable. ARM systems are not vulnerable.

Only HVM guests with their device model run in Dom0 can take advantage
of this vulnerability.

Any domain which is given access to a non-SR-IOV virtual function PCI
Express device can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI Express devices other
than SR-IOV virtual functions to untrusted HVM guests. This issue can
also be avoided by only using PV guests or HVM guests with their
device model run in a separate (stub) domain.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Comment 1 Vasyl Kaigorodov 2015-03-19 14:59:28 UTC
Created attachment 1003863 [details]
qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

Comment 2 Vasyl Kaigorodov 2015-03-19 15:01:18 UTC
Created attachment 1003864 [details]
qemu-upstream-unstable, Xen 4.3.x

Comment 3 Vasyl Kaigorodov 2015-03-19 15:01:58 UTC
Created attachment 1003866 [details]
qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x

Comment 4 Petr Matousek 2015-03-31 15:16:34 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1207738]

Comment 5 Petr Matousek 2015-03-31 15:20:51 UTC
References:

http://www.openwall.com/lists/oss-security/2015/03/31/7

Comment 6 Petr Matousek 2015-03-31 15:22:27 UTC
Acknowledgements:

Red Hat would like to thank the Xen for reporting this issue.

Comment 7 Petr Matousek 2015-03-31 15:34:49 UTC
Statement:

This issue dos affect the xen packages as shipped with Red Hat Enterprise Linux 5.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.