ISSUE DESCRIPTION ================= Guests are currently permitted to modify all of the (writable) bits in the PCI command register of devices passed through to them. This in particular allows them to disable memory and I/O decoding on the device unless the device is an SR-IOV virtual function, in which case subsequent accesses to the respective MMIO or I/O port ranges would - - on PCI Express devices - lead to Unsupported Request responses. The treatmeant of such errors is platform specific. IMPACT ====== In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Upstream Linux versions 3.1 and onwards are vulnerable due to supporting PCI backend functionality. Other Linux versions as well as other OS versions may be vulnerable too. Any domain which is given access to a non-SR-IOV virtual function PCI Express device can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI Express devices other than SR-IOV virtual functions to untrusted guests. RESOLUTION ========== Applying the attached patch resolves this issue for upstream Linux. xsa120.patch Linux 3.19 $ sha256sum xsa120*.patch 5167215293d4a8a05f090fca5b20eb5878213a0158a0e7a12c245553db81a855 xsa120.patch
Created attachment 995253 [details] xsa120.patch
Statement: This issue does affect the Dom0 Xen kernel as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
External References: http://xenbits.xen.org/xsa/advisory-120.html
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1200397]
An update on this issue from Xen: The original patches were incomplete: although they eliminated the possibility that the guest might disable memory and I/O decoding, they did not ensure that these bits were set at start of day. The result was that a malicious guest could simply avoid enabling them and continue to exploit the vulnerability. Well behaved guests would normally enable decoding and therefore would not normally suffer a regression. Additional patches are now supplied to resolve this issue.
Created attachment 1009512 [details] xsa120-addendum.patch
Created attachment 1009513 [details] xsa120-classic-addendum.patch
A second CVE has been assigned to this issue per: http://xenbits.xen.org/xsa/advisory-157.html
From the updated XSA-120: "UPDATES IN VERSION 5 ==================== The original patches were incomplete: although they eliminated the possibility that the guest might disable memory and I/O decoding, they did not ensure that these bits were set at start of day. The result was that a malicious guest could simply avoid enabling them and continue to exploit the vulnerability. Well behaved guests would normally enable decoding and therefore would not normally suffer a regression. Additional patches are now supplied to resolve this issue."
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1292439]