Bug 1970539 (CVE-2021-28692)

Summary: CVE-2021-28692 xen: inappropriate x86 IOMMU timeout detection / handling (XSA-373)
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jforbes, m.a.young
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-10 21:04:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1970540    
Bug Blocks:    

Description Guilherme de Almeida Suckevicz 2021-06-10 16:33:46 UTC 
IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands.  In the current implementation in Xen, asynchronous notification of the completion of such commands is not used.  Instead, the issuing CPU spin-waits for the completion of the most recently issued command(s).  Some of these waiting loops try to apply a timeout to fail overly-slow commands.

The course of action upon a perceived timeout actually being detected is inappropriate:
 - on Intel hardware guests which did not originally cause the timeout
   may be marked as crashed,
 - on AMD hardware higher layer callers would not be notified of the
   issue, making them continue as if the IOMMU operation succeeded.

Reference:
https://xenbits.xen.org/xsa/advisory-373.html
Comment 1 Guilherme de Almeida Suckevicz 2021-06-10 16:34:06 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1970540]
Comment 2 Product Security DevOps Team 2021-06-10 21:04:05 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.