Bug 1196266 (CVE-2015-2150, CVE-2015-8553, xsa120) - CVE-2015-2150 CVE-2015-8553 xen: non-maskable interrupts triggerable by guests (xsa120)
Summary: CVE-2015-2150 CVE-2015-8553 xen: non-maskable interrupts triggerable by guest...
Status: CLOSED WONTFIX
Alias: CVE-2015-2150, CVE-2015-8553, xsa120
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150310,repor...
Keywords: Security
Depends On: 1200397 1292439
Blocks: 1196269
TreeView+ depends on / blocked
 
Reported: 2015-02-25 15:39 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:27 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-02-26 13:43:36 UTC


Attachments (Terms of Use)
xsa120.patch (3.62 KB, text/plain)
2015-02-25 15:42 UTC, Vasyl Kaigorodov
no flags Details
xsa120-addendum.patch (1.83 KB, text/plain)
2015-04-01 08:03 UTC, Martin Prpič
no flags Details
xsa120-classic-addendum.patch (1.70 KB, text/plain)
2015-04-01 08:03 UTC, Martin Prpič
no flags Details

Description Vasyl Kaigorodov 2015-02-25 15:39:37 UTC
ISSUE DESCRIPTION
=================

Guests are currently permitted to modify all of the (writable) bits in
the PCI command register of devices passed through to them. This in
particular allows them to disable memory and I/O decoding on the
device unless the device is an SR-IOV virtual function, in which case
subsequent accesses to the respective MMIO or I/O port ranges would
- - on PCI Express devices - lead to Unsupported Request responses. The
treatmeant of such errors is platform specific.

IMPACT
======

In the event that the platform surfaces aforementioned UR responses as
Non-Maskable Interrupts, and either the OS is configured to treat NMIs
as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat
these errors as fatal, the host would crash, leading to a Denial of
Service.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through. Upstream Linux versions 3.1 and onwards are vulnerable
due to supporting PCI backend functionality. Other Linux versions as
well as other OS versions may be vulnerable too.

Any domain which is given access to a non-SR-IOV virtual function PCI
Express device can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI Express devices other
than SR-IOV virtual functions to untrusted guests.

RESOLUTION
==========

Applying the attached patch resolves this issue for upstream Linux.

xsa120.patch Linux 3.19

$ sha256sum xsa120*.patch
5167215293d4a8a05f090fca5b20eb5878213a0158a0e7a12c245553db81a855 xsa120.patch

Comment 1 Vasyl Kaigorodov 2015-02-25 15:42:04 UTC
Created attachment 995253 [details]
xsa120.patch

Comment 3 Petr Matousek 2015-02-26 13:43:36 UTC
Statement:

This issue does affect the Dom0 Xen kernel as shipped with Red Hat Enterprise Linux 5.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 5 Martin Prpič 2015-03-10 13:35:31 UTC
External References:

http://xenbits.xen.org/xsa/advisory-120.html

Comment 6 Martin Prpič 2015-03-10 13:36:44 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1200397]

Comment 7 Martin Prpič 2015-04-01 08:02:18 UTC
An update on this issue from Xen:

The original patches were incomplete: although they eliminated the
possibility that the guest might disable memory and I/O decoding, they
did not ensure that these bits were set at start of day. The result
was that a malicious guest could simply avoid enabling them and
continue to exploit the vulnerability.

Well behaved guests would normally enable decoding and therefore would
not normally suffer a regression.

Additional patches are now supplied to resolve this issue.

Comment 8 Martin Prpič 2015-04-01 08:03:01 UTC
Created attachment 1009512 [details]
xsa120-addendum.patch

Comment 9 Martin Prpič 2015-04-01 08:03:28 UTC
Created attachment 1009513 [details]
xsa120-classic-addendum.patch

Comment 10 Martin Prpič 2015-12-17 13:12:29 UTC
A second CVE has been assigned to this issue per:

http://xenbits.xen.org/xsa/advisory-157.html

Comment 11 Martin Prpič 2015-12-17 13:14:58 UTC
From the updated XSA-120:

"UPDATES IN VERSION 5
====================

The original patches were incomplete: although they eliminated the
possibility that the guest might disable memory and I/O decoding, they
did not ensure that these bits were set at start of day.  The result
was that a malicious guest could simply avoid enabling them and
continue to exploit the vulnerability.

Well behaved guests would normally enable decoding and therefore would
not normally suffer a regression.

Additional patches are now supplied to resolve this issue."

Comment 12 Martin Prpič 2015-12-17 13:16:06 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1292439]


Note You need to log in before you can comment on or make changes to this bug.