Bug 715555 (CVE-2011-1898)
| Summary: | CVE-2011-1898 virt: VT-d (PCI passthrough) MSI trap injection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Petr Matousek <pmatouse> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | alex.williamson, anton, arozansk, davej, ddutile, dhoward, drjones, ehabkost, fhrbata, imammedo, jlieskov, jpirko, kernel-mgr, kmcmartin, knoel, lcapitulino, lersek, lwang, mishu, mjc, mkenneth, mmcallis, mtosatti, pbonzini, plougher, rcvalle, sforsber, tburke, tcallawa, virt-maint, xen-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-28 08:42:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 711504, 716301, 716302, 716306, 748692, 785089 | ||
| Bug Blocks: | 732764 | ||
|
Description
Petr Matousek
2011-06-23 10:28:57 UTC
Issue The fix for CVE-2011-1898 introduced a regression in the way PCI passthrough works. Depending on how virtualization guests are configured to use PCI passthrough devices, this regression can prevent those guests from starting. PCI passthrough[1] allows virtualized guests to directly access various hardware devices and components (it allows you to assign a PCI device to a guest). CVE-2011-1898 describes a flaw that allows a privileged guest user in a KVM (Kernel-based Virtual Machine) or Xen hypervisor guest to crash the host or escalate their privileges on the host, when the host was using PCI passthrough without interrupt remapping support. The CVE-2011-1898 flaw affected the Xen hypervisor on Red Hat Enterprise Linux 5 hosts (refer to the Note below about KVM on Red Hat Enterprise Linux 5), and the KVM hypervisor on Red Hat Enterprise Linux 6 hosts (there is no Xen hypervisor in Red Hat Enterprise Linux 6). The flaw was fixed by the RHSA-2011:1479 and RHSA-2011:1189 updates for Red Hat Enterprise Linux 5 and 6 respectively; however, the updates introduced a regression. After installing RHSA-2011:1479 and RHSA-2011:1189, it will not be possible to use PCI passthrough without interrupt remapping. Device assignment will fail with a 'Failed to assign device "[device name]" : Operation not permitted' error for users of KVM, and a 'Interrupt Remapping hardware not found, passing devices to unprivileged domains is insecure. If you really want to do this, please boot with "iommu=no-intremap"' error for Xen hypervisor users. Depending on how guests are configured to use PCI passthrough devices, this regression can prevent those guests from starting. Note: The KVM version in Red Hat Enterprise Linux 5 does not have interrupt remapping support. Red Hat cannot backport this support as it is too invasive and has a high risk of introducing severe regressions at this point in the Red Hat Enterprise Linux 5 life-cycle. As such, Red Hat recommends that users of KVM on Red Hat Enterprise Linux 5 only use PCI passthrough with trusted guests. Environment Summary If your hardware does not support interrupt remapping, and the RHSA-2011:1479 or RHSA-2011:1189 updates have been installed, the regression affects: * Users of KVM on Red Hat Enterprise Linux 6 hosts. * Users of fully-virtualized Xen hypervisor guests on Red Hat Enterprise Linux 5 hosts. For para-virtualized Xen hypervisor guests, PCI passthrough is always allowed and is therefore vulnerable to CVE-2011-1898. Red Hat recommends PCI passthrough only be used with trusted para-virtualized Xen hypervisor guests. Environment: KVM running on Red Hat Enterprise Linux 6. For users of KVM on Red Hat Enterprise Linux 6 hosts, the regression after installing RHSA-2011:1189 affects: * All systems using an AMD processor and chipset that have AMD I/O Virtualization (AMD-Vi) support. Such hardware has interrupt remapping support; however, the software support is not yet available upstream. * All systems using an Intel processor and chipset that have support for Intel Virtualization Technology for Directed I/O (VT-d), but do not have support for interrupt remapping. Interrupt remapping support is provided in newer processors and chipsets. To identify if your system has support for interrupt remapping: 1) Run the "dmesg | grep ecap" command. 2) On the IOMMU lines, the hexadecimal value after "ecap" indicates whether interrupt remapping is supported. If the last character of this value is an 8, 9, a, b, c, d, e, or an f, interrupt remapping is supported. For example, "ecap 1000" indicates there is no interrupt remapping support. "ecap 10207f" indicates interrupt remapping support, as the last character is an "f". Interrupt remapping will only be enabled if every IOMMU supports it. Alternatively, run the following script to determine if your system has interrupt remapping support: #!/bin/sh if [ $(dmesg | grep ecap | wc -l) -eq 0 ]; then echo "No interrupt remapping support found" exit 1 fi for i in $(dmesg | grep ecap | awk '{print $NF}'); do if [ $(( (0x$i & 0xf) >> 3 )) -ne 1 ]; then echo "Interrupt remapping not supported" exit 1 fi done echo "Interrupt remapping support available" exit 0 Workaround If you wish to continue using PCI passthrough without interrupt remapping for KVM guests, the previous, vulnerable behavior can be restored by running the following command as root: echo 1 > /sys/module/kvm/parameters/allow_unsafe_assigned_interrupts To make this change persist across reboots, add the following to "/etc/modprobe.d/kvm.conf" (or create this file, if it does not exist): options kvm allow_unsafe_assigned_interrupts=1 (Using this option reintroduces CVE-2011-1898.) Environment: Xen hypervisor running on Red Hat Enterprise Linux 5 Passing a PCI device to a para-virtualized Xen hypervisor guest always works and is therefore vulnerable to CVE-2011-1898. Red Hat recommends that users of para-virtualized Xen hypervisor guests on Red Hat Enterprise Linux 5 hosts only use PCI passthrough with trusted guests. For users of fully-virtualized Xen hypervisor guests on Red Hat Enterprise Linux 5 hosts that have the RHSA-2011:1479 update installed, the regression affects systems using an Intel processor and chipset that have support for Intel Virtualization Technology for Directed I/O (VT-d), but do not have support for interrupt remapping. Interrupt remapping support is provided in newer processors and chipsets. To identify if your system has support for interrupt remapping: 1) Reboot the host and set the log level to info (using the "loglvl=info" kernel boot option). 2) Run the xm dmesg | grep "Interrupt Remapping hardware not found" command. If this message is found, there is no interrupt remapping support and PCI passthrough will be disabled for security reasons (PCI devices will not be able to be passed to fully-virtualized guests). Workaround If you wish to use PCI passthrough for fully-virtualized Xen hypervisor guests on systems that do not have interrupt remapping, the previous, vulnerable behavior can be restored by rebooting the Xen hypervisor host and using the "iommu=no-intremap" kernel boot option. Using this option reintroduces CVE-2011-1898. Note that if your hardware does not support interrupt remapping, and the RHSA-2011:1479 update has been installed, using the "iommu=on" kernel boot option prevents PCI passthrough to fully-virtualized Xen hypervisor guests (PCI devices will not be able to be assigned to the guest). Run the "cat /proc/cmdline" command to view the options the kernel was booted with. Users of GRUB can use the "/etc/grub.conf" file to make kernel boot options persist across reboots. [1] Refer to the "PCI passthrough" section of the Red Hat Enterprise Linux 5 Virtualization Guide or to the "PCI device assignment" section of the Red Hat Enterprise Linux 6 Virtualization Guide, available on http://docs.redhat.com/docs/en-US/index.html, for further information about PCI passthrough. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1189 https://rhn.redhat.com/errata/RHSA-2011-1189.html Created kernel tracking bugs for this issue Affects: fedora-all [bug 748692] This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1479 https://rhn.redhat.com/errata/RHSA-2011-1479.html Comment 8 copied to a Knowledgebase article: https://access.redhat.com/kb/docs/DOC-66828 This issue has been addressed in following products: Red Hat Enterprise Linux 5.6 EUS - Server Only Via RHSA-2012:0358 https://rhn.redhat.com/errata/RHSA-2012-0358.html Statement: This issue did affect the versions of kernel package as shipped with Red Hat Enterprise Linux 5. This issue did affect the versions of kvm package as shipped with Red Hat Enterprise Linux 5. Red Hat cannot backport the fix though as it is too invasive and has a high risk of introducing severe regressions at this point in the Red Hat Enterprise Linux 5 life-cycle. As such, Red Hat recommends that users of KVM on Red Hat Enterprise Linux 5 only use PCI passthrough with trusted guests. This issue did affect the versions of kernel package as shipped with Red Hat Enterprise Linux 6. This issue did not affect the versions of kernel-rt package as shipped with Red Hat Enterprise MRG as it did not provide support for virtualization. For further info please refer to the knowledge base article https://access.redhat.com/knowledge/articles/66747. |