Bug 986302 (CVE-2013-3495)

Summary: CVE-2013-3495 hw: virt: Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, alex.williamson, anton, ddutile, dhoward, drjones, gleb, imammedo, jkurik, lwang, mrezanin, pbonzini, plougher, rkrcmar, rvrbovsk, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-24 13:37:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 986303    

Description Petr Matousek 2013-07-19 11:24:12 UTC
Malformed MSIs are transactions to the special address range that
do not have proper attributes of MSI requests. Such malformed transactions are detected and aborted by the platform, before they are subject to further interrupt remapping/processing. For RAS purposes, some platforms may be configured to support System Error Reporting (SERR) capability. These platforms raise a PCI system error (SERR#) due to Unsupported Request, which are typically delivered as Non-Maskable Interrupts (NMI), to report such errors to software. Depending on hypervisor and Dom0 kernel configuration, such an NMI may be handled by the hypervisor/Dom0 or can result in a host software halt ("panic"). On platforms with SERR enabled, such malformed MSI requests can be generated by guest OS with an assigned device, causing hypervisor/Dom0 receive NMI despite using VT-d and interrupt remapping for device assignment.

A malicious domain, given access to a device which bus mastering capable, can
mount a denial of service attack affecting the whole system.

Only systems using Intel VT-d for PCI passthrough and enabled SERR are vulnerable.

This issue can be avoided by not assigning PCI devices to untrusted guests.

References:

http://seclists.org/oss-sec/2013/q3/421

Acknowledgements:

Red Hat would like to thank the Xen and KVM upstreams for reporting this issue. Xen upstream acknowledged Gábor PÉK of CrySyS Lab as the original reporter

Comment 1 Petr Matousek 2013-07-19 11:27:45 UTC
Statement:

This is hardware issue related to Intel VT-d, affecting all hypervisors (such as Xen and KVM) using Intel VT-d for guest PCI passthrough.