HVM guests are currently permitted to modify the memory and I/O decode
bits in the PCI command register of devices passed through to them.
Unless the device is an SR-IOV virtual function, subsequent accesses to
the respective MMIO or I/O port ranges would - on PCI Express devices -
lead to Unsupported Request responses. The treatment of such errors is
In the event that the platform surfaces aforementioned UR responses as
Non-Maskable Interrupts, and either the OS is configured to treat NMIs
as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat
these errors as fatal, the host would crash, leading to a Denial of
Xen versions 3.3 and onwards are vulnerable due to supporting PCI
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only HVM guests with their device model run in Dom0 can take advantage
of this vulnerability.
Any domain which is given access to a non-SR-IOV virtual function PCI
Express device can take advantage of this vulnerability.
This issue can be avoided by not assigning PCI Express devices other
than SR-IOV virtual functions to untrusted HVM guests. This issue can
also be avoided by only using PV guests or HVM guests with their
device model run in a separate (stub) domain.
Applying the appropriate attached patch resolves this issue.
Created attachment 1003863 [details]
qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
Created attachment 1003864 [details]
qemu-upstream-unstable, Xen 4.3.x
Created attachment 1003866 [details]
qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
Created xen tracking bugs for this issue:
Affects: fedora-all [bug 1207738]
Red Hat would like to thank the Xen for reporting this issue.
This issue dos affect the xen packages as shipped with Red Hat Enterprise Linux 5.
Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.