Bug 1289128 (CVE-2015-8551, CVE-2015-8552, xsa157)

Summary: CVE-2015-8551 CVE-2015-8552 xsa157 xen: Linux pciback missing sanity checks leading to crash (XSA-157)
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, dhoward, drjones, fhrbata, imammedo, knoel, lwang, m.a.young, mguzik, mrezanin, nmurray, pbonzini, plougher, rkrcmar, rvrbovsk, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-07 10:41:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1292439    
Bug Blocks: 1290367    

Description Martin Prpič 2015-12-07 13:55:10 UTC 
ISSUE DESCRIPTION
=================

Xen PCI backend driver does not perform proper sanity checks on the
device's state.

Which in turn allows the generic MSI code (called by Xen PCI backend) to be
called incorrectly leading to hitting BUG conditions or causing NULL pointer
exceptions in the MSI code.

To exploit this the guest can craft specific sequence of XEN_PCI_OP_*
operations which will trigger this.

Furthermore the frontend can also craft an continous stream of
XEN_PCI_OP_enable_msi which will trigger an continous
stream of WARN() messages triggered by the MSI code leading to the logging
in the initial domain to exhaust disk space.

Lastly there is also missing check to verify whether the device has
memory decoding enabled set at the start of the day leading the initial
domain "accesses to the respective MMIO or I/O port ranges would - - on PCI
Express devices - [which can] lead to Unsupported Request responses.
The treatment of such errors is platform specific." (from XSA-120).
Note that if XSA-120 'addendum' patch has been applied this particular
sub-issue is not exploitable.

IMPACT
======

Malicious guest administrators can cause denial of service.  If driver
domains are not in use, the impact is a host crash.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

VULNERABLE SYSTEMS
==================

This bug affects systems using Linux as the driver domain, including
non-disaggregated systems using Linux as dom0.

Linux versions v3.1 and onwards are vulnerable due to supporting PCI
pass-through backend driver.

PV and HVM guests which have been granted access to physical PCI devices
(`PCI passthrough') can take advantage of this vulnerability.

Furthermore, the vulnerability is only applicable when the
passed-through PCI devices are MSI-capable or MSI-X. (Most modern devices
are).

MITIGATION
==========

Not using PCI passthrough for PV and HVM guests. Note that for HVM guests
QEMU is used for PCI passthrough - however  the toolstack sets up also
the 'PV' PCI which the guest can utilize if it chooses to do so.

External References:

http://xenbits.xen.org/xsa/advisory-157.html

Acknowledgements:

Red Hat would like to thank the Xen project for reporting this issue.
Comment 1 Martin Prpič 2015-12-15 12:56:45 UTC 
(In reply to Martin Prpic from comment #0)
> ISSUE DESCRIPTION
> =================
> 
> Xen PCI backend driver does not perform proper sanity checks on the
> device's state.
> 
> Which in turn allows the generic MSI code (called by Xen PCI backend) to be
> called incorrectly leading to hitting BUG conditions or causing NULL pointer
> exceptions in the MSI code.

This was assigned CVE-2015-8551.

> 
> To exploit this the guest can craft specific sequence of XEN_PCI_OP_*
> operations which will trigger this.
> 
> Furthermore the frontend can also craft an continous stream of
> XEN_PCI_OP_enable_msi which will trigger an continous
> stream of WARN() messages triggered by the MSI code leading to the logging
> in the initial domain to exhaust disk space.

This was assigned CVE-2015-8552.

> 
> Lastly there is also missing check to verify whether the device has
> memory decoding enabled set at the start of the day leading the initial
> domain "accesses to the respective MMIO or I/O port ranges would - - on PCI
> Express devices - [which can] lead to Unsupported Request responses.
> The treatment of such errors is platform specific." (from XSA-120).
> Note that if XSA-120 'addendum' patch has been applied this particular
> sub-issue is not exploitable.

This was assigned CVE-2015-8553.
Comment 2 Martin Prpič 2015-12-17 13:11:12 UTC 
"UPDATES IN VERSION 3
====================

Removed CVE-2015-8553 from the title of this advisory.  We will issue
an update to XSA-120 which documents the assignment of CVE-2015-8553
to the XSA-120 v5+ addendum patch."

CVE-2015-8553 has been re-assigned to bug 1196266 (XSA-120).
Comment 3 Martin Prpič 2015-12-17 13:16:02 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1292439]
Comment 4 Michael Young 2015-12-17 20:23:50 UTC 
The xsa157 patches are for the xen drivers within the kernel, not for the xen package.