Bug 1203737 (CVE-2015-2756, xsa126) - CVE-2015-2756 xen: unmediated PCI command register access in qemu (xsa126)
Summary: CVE-2015-2756 xen: unmediated PCI command register access in qemu (xsa126)
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-2756, xsa126
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1207738
Blocks: 1203743
TreeView+ depends on / blocked
 
Reported: 2015-03-19 14:57 UTC by Vasyl Kaigorodov
Modified: 2023-05-12 21:53 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-31 15:34:49 UTC
Embargoed:


Attachments (Terms of Use)
qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x (2.84 KB, text/plain)
2015-03-19 14:59 UTC, Vasyl Kaigorodov
no flags Details
qemu-upstream-unstable, Xen 4.3.x (2.43 KB, text/plain)
2015-03-19 15:01 UTC, Vasyl Kaigorodov
no flags Details
qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x (2.44 KB, text/plain)
2015-03-19 15:01 UTC, Vasyl Kaigorodov
no flags Details

Description Vasyl Kaigorodov 2015-03-19 14:57:47 UTC
ISSUE DESCRIPTION
=================

HVM guests are currently permitted to modify the memory and I/O decode
bits in the PCI command register of devices passed through to them.
Unless the device is an SR-IOV virtual function, subsequent accesses to
the respective MMIO or I/O port ranges would - on PCI Express devices -
lead to Unsupported Request responses. The treatment of such errors is
platform specific.

IMPACT
======

In the event that the platform surfaces aforementioned UR responses as
Non-Maskable Interrupts, and either the OS is configured to treat NMIs
as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat
these errors as fatal, the host would crash, leading to a Denial of
Service.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through.

Only x86 systems are vulnerable. ARM systems are not vulnerable.

Only HVM guests with their device model run in Dom0 can take advantage
of this vulnerability.

Any domain which is given access to a non-SR-IOV virtual function PCI
Express device can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI Express devices other
than SR-IOV virtual functions to untrusted HVM guests. This issue can
also be avoided by only using PV guests or HVM guests with their
device model run in a separate (stub) domain.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Comment 1 Vasyl Kaigorodov 2015-03-19 14:59:28 UTC
Created attachment 1003863 [details]
qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

Comment 2 Vasyl Kaigorodov 2015-03-19 15:01:18 UTC
Created attachment 1003864 [details]
qemu-upstream-unstable, Xen 4.3.x

Comment 3 Vasyl Kaigorodov 2015-03-19 15:01:58 UTC
Created attachment 1003866 [details]
qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x

Comment 4 Petr Matousek 2015-03-31 15:16:34 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1207738]

Comment 5 Petr Matousek 2015-03-31 15:20:51 UTC
References:

http://www.openwall.com/lists/oss-security/2015/03/31/7

Comment 6 Petr Matousek 2015-03-31 15:22:27 UTC
Acknowledgements:

Red Hat would like to thank the Xen for reporting this issue.

Comment 7 Petr Matousek 2015-03-31 15:34:49 UTC
Statement:

This issue dos affect the xen packages as shipped with Red Hat Enterprise Linux 5.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.


Note You need to log in before you can comment on or make changes to this bug.