Bug 715555 - (CVE-2011-1898) CVE-2011-1898 virt: VT-d (PCI passthrough) MSI trap injection
CVE-2011-1898 virt: VT-d (PCI passthrough) MSI trap injection
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20110413,reported=20110616,sou...
: Security
Depends On: 711504 716301 716302 716306 748692 785089
Blocks: 732764
  Show dependency treegraph
 
Reported: 2011-06-23 06:28 EDT by Petr Matousek
Modified: 2015-07-31 02:41 EDT (History)
31 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-28 04:42:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2011-06-23 06:28:57 EDT
Problem description:
Intel VT-d chipsets without interrupt remapping do not prevent a guest which owns a PCI device from using DMA to generate MSI interrupts by writing to the interrupt injection registers.  This can be exploited to inject traps and gain control of the host.

References:
http://lists.xensource.com/archives/html/xen-devel/2011-05/msg00687.html
http://theinvisiblethings.blogspot.com/2011/05/following-white-rabbit-software-attacks.html
http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
Comment 8 Murray McAllister 2011-08-23 03:30:23 EDT
Issue

The fix for CVE-2011-1898 introduced a regression in the way PCI passthrough works. Depending on how virtualization guests are configured to use PCI passthrough devices, this regression can prevent those guests from starting.

PCI passthrough[1] allows virtualized guests to directly access various hardware devices and components (it allows you to assign a PCI device to a guest). CVE-2011-1898 describes a flaw that allows a privileged guest user in a KVM (Kernel-based Virtual Machine) or Xen hypervisor guest to crash the host or escalate their privileges on the host, when the host was using PCI passthrough without interrupt remapping support.

The CVE-2011-1898 flaw affected the Xen hypervisor on Red Hat Enterprise Linux 5 hosts (refer to the Note below about KVM on Red Hat Enterprise Linux 5), and the KVM hypervisor on Red Hat Enterprise Linux 6 hosts (there is no Xen hypervisor in Red Hat Enterprise Linux 6). The flaw was fixed by the RHSA-2011:1479 and RHSA-2011:1189 updates for Red Hat Enterprise Linux 5 and 6 respectively; however, the updates introduced a regression.

After installing RHSA-2011:1479 and RHSA-2011:1189, it will not be possible to use PCI passthrough without interrupt remapping. Device assignment will fail with a 'Failed to assign device "[device name]" : Operation not permitted' error for users of KVM, and a 'Interrupt Remapping hardware not found, passing devices to unprivileged domains is insecure. If you really want to do this, please boot with "iommu=no-intremap"' error for Xen hypervisor users.

Depending on how guests are configured to use PCI passthrough devices, this regression can prevent those guests from starting.

Note: The KVM version in Red Hat Enterprise Linux 5 does not have interrupt remapping support. Red Hat cannot backport this support as it is too invasive and has a high risk of introducing severe regressions at this point in the Red Hat Enterprise Linux 5 life-cycle. As such, Red Hat recommends that users of KVM on Red Hat Enterprise Linux 5 only use PCI passthrough with trusted guests.

Environment Summary

If your hardware does not support interrupt remapping, and the RHSA-2011:1479 or RHSA-2011:1189 updates have been installed, the regression affects:

* Users of KVM on Red Hat Enterprise Linux 6 hosts.

* Users of fully-virtualized Xen hypervisor guests on Red Hat Enterprise Linux 5 hosts.

For para-virtualized Xen hypervisor guests, PCI passthrough is always allowed and is therefore vulnerable to CVE-2011-1898. Red Hat recommends PCI passthrough only be used with trusted para-virtualized Xen hypervisor guests.

Environment: KVM running on Red Hat Enterprise Linux 6.

For users of KVM on Red Hat Enterprise Linux 6 hosts, the regression after installing RHSA-2011:1189 affects:

* All systems using an AMD processor and chipset that have AMD I/O Virtualization (AMD-Vi) support. Such hardware has interrupt remapping support; however, the software support is not yet available upstream.

* All systems using an Intel processor and chipset that have support for Intel Virtualization Technology for Directed I/O (VT-d), but do not have support for interrupt remapping. Interrupt remapping support is provided in newer processors and chipsets. To identify if your system has support for interrupt remapping:

1) Run the "dmesg | grep ecap" command.

2) On the IOMMU lines, the hexadecimal value after "ecap" indicates whether interrupt remapping is supported. If the last character of this value is an 8, 9, a, b, c, d, e, or an f, interrupt remapping is supported. For example, "ecap 1000" indicates there is no interrupt remapping support. "ecap 10207f" indicates interrupt remapping support, as the last character is an "f".

Interrupt remapping will only be enabled if every IOMMU supports it.

Alternatively, run the following script to determine if your system has interrupt remapping support:

#!/bin/sh
if [ $(dmesg | grep ecap | wc -l) -eq 0 ]; then
  echo "No interrupt remapping support found"
  exit 1
fi

for i in $(dmesg | grep ecap | awk '{print $NF}'); do
  if [ $(( (0x$i & 0xf) >> 3 )) -ne 1 ]; then
    echo "Interrupt remapping not supported"
    exit 1
  fi
done

echo "Interrupt remapping support available"
exit 0

Workaround

If you wish to continue using PCI passthrough without interrupt remapping for KVM guests, the previous, vulnerable behavior can be restored by running the following command as root:

echo 1 > /sys/module/kvm/parameters/allow_unsafe_assigned_interrupts

To make this change persist across reboots, add the following to "/etc/modprobe.d/kvm.conf" (or create this file, if it does not exist):

options kvm allow_unsafe_assigned_interrupts=1

(Using this option reintroduces CVE-2011-1898.)

Environment: Xen hypervisor running on Red Hat Enterprise Linux 5

Passing a PCI device to a para-virtualized Xen hypervisor guest always works and is therefore vulnerable to CVE-2011-1898. Red Hat recommends that users of para-virtualized Xen hypervisor guests on Red Hat Enterprise Linux 5 hosts only use PCI passthrough with trusted guests.

For users of fully-virtualized Xen hypervisor guests on Red Hat Enterprise Linux 5 hosts that have the RHSA-2011:1479 update installed, the regression affects systems using an Intel processor and chipset that have support for Intel Virtualization Technology for Directed I/O (VT-d), but do not have support for interrupt remapping.

Interrupt remapping support is provided in newer processors and chipsets. To identify if your system has support for interrupt remapping:

1) Reboot the host and set the log level to info (using the "loglvl=info" kernel boot option).

2) Run the xm dmesg | grep "Interrupt Remapping hardware not found" command. If this message is found, there is no interrupt remapping support and PCI passthrough will be disabled for security reasons (PCI devices will not be able to be passed to fully-virtualized guests).

Workaround

If you wish to use PCI passthrough for fully-virtualized Xen hypervisor guests on systems that do not have interrupt remapping, the previous, vulnerable behavior can be restored by rebooting the Xen hypervisor host and using the "iommu=no-intremap" kernel boot option. Using this option reintroduces CVE-2011-1898.

Note that if your hardware does not support interrupt remapping, and the RHSA-2011:1479 update has been installed, using the "iommu=on" kernel boot option prevents PCI passthrough to fully-virtualized Xen hypervisor guests (PCI devices will not be able to be assigned to the guest).

Run the "cat /proc/cmdline" command to view the options the kernel was booted with. Users of GRUB can use the "/etc/grub.conf" file to make kernel boot options persist across reboots.

[1] Refer to the "PCI passthrough" section of the Red Hat Enterprise Linux 5 Virtualization Guide or to the "PCI device assignment" section of the Red Hat Enterprise Linux 6 Virtualization Guide, available on http://docs.redhat.com/docs/en-US/index.html, for further information about PCI passthrough.
Comment 9 errata-xmlrpc 2011-08-23 10:41:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1189 https://rhn.redhat.com/errata/RHSA-2011-1189.html
Comment 13 Eugene Teo (Security Response) 2011-10-25 00:08:20 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 748692]
Comment 14 errata-xmlrpc 2011-11-29 09:35:42 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1479 https://rhn.redhat.com/errata/RHSA-2011-1479.html
Comment 15 Murray McAllister 2011-11-30 22:03:43 EST
Comment 8 copied to a Knowledgebase article:

https://access.redhat.com/kb/docs/DOC-66828
Comment 17 errata-xmlrpc 2012-03-06 12:43:13 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6 EUS - Server Only

Via RHSA-2012:0358 https://rhn.redhat.com/errata/RHSA-2012-0358.html
Comment 18 Petr Matousek 2012-03-07 15:02:24 EST
Statement:

This issue did affect the versions of kernel package as shipped with Red Hat Enterprise Linux 5.

This issue did affect the versions of kvm package as shipped with Red Hat Enterprise Linux 5. Red Hat cannot backport the fix though as it is too invasive and has a high risk of introducing severe regressions at this point in the Red Hat Enterprise Linux 5 life-cycle. As such, Red Hat recommends that users of KVM on Red Hat Enterprise Linux 5 only use PCI passthrough with trusted guests. 

This issue did affect the versions of kernel package as shipped with Red Hat Enterprise Linux 6.

This issue did not affect the versions of kernel-rt package as shipped with Red Hat Enterprise MRG as it did not provide support for virtualization.

For further info please refer to the knowledge base article https://access.redhat.com/knowledge/articles/66747.

Note You need to log in before you can comment on or make changes to this bug.