Red Hat Bugzilla – Bug 1203737
CVE-2015-2756 xen: unmediated PCI command register access in qemu (xsa126)
Last modified: 2015-04-08 15:12:09 EDT
ISSUE DESCRIPTION ================= HVM guests are currently permitted to modify the memory and I/O decode bits in the PCI command register of devices passed through to them. Unless the device is an SR-IOV virtual function, subsequent accesses to the respective MMIO or I/O port ranges would - on PCI Express devices - lead to Unsupported Request responses. The treatment of such errors is platform specific. IMPACT ====== In the event that the platform surfaces aforementioned UR responses as Non-Maskable Interrupts, and either the OS is configured to treat NMIs as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat these errors as fatal, the host would crash, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Any domain which is given access to a non-SR-IOV virtual function PCI Express device can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI Express devices other than SR-IOV virtual functions to untrusted HVM guests. This issue can also be avoided by only using PV guests or HVM guests with their device model run in a separate (stub) domain. RESOLUTION ========== Applying the appropriate attached patch resolves this issue.
Created attachment 1003863 [details] qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
Created attachment 1003864 [details] qemu-upstream-unstable, Xen 4.3.x
Created attachment 1003866 [details] qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1207738]
References: http://www.openwall.com/lists/oss-security/2015/03/31/7
Acknowledgements: Red Hat would like to thank the Xen for reporting this issue.
Statement: This issue dos affect the xen packages as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.