Information

Advisory XSA-120
Public release 2015-03-10 12:00
Updated 2023-12-15 15:35
Version 6
CVE(s) CVE-2015-2150 CVE-2015-8553
Title Non-maskable interrupts triggerable by guests

Files

advisory-120.txt (signed advisory file)
xsa120.patch
xsa120-addendum.patch
xsa120-classic.patch
xsa120-classic-addendum.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

      Xen Security Advisory CVE-2015-2150,CVE-2015-8553 / XSA-120
                              version 6

              Non-maskable interrupts triggerable by guests

UPDATES IN VERSION 6
====================

CVE assigned for incompleteness of patches in XSA-120 v4 and earlier.
(Addendum patch to fix supplied in XSA-120 v5 and later.)

No changes to patches or advisory text, other than to ensure two
spaces in the version tag section.

ISSUE DESCRIPTION
=================

Guests are currently permitted to modify all of the (writable) bits in
the PCI command register of devices passed through to them. This in
particular allows them to disable memory and I/O decoding on the
device unless the device is an SR-IOV virtual function, in which case
subsequent accesses to the respective MMIO or I/O port ranges would
- - on PCI Express devices - lead to Unsupported Request responses. The
treatment of such errors is platform specific.  (CVE-2015-2150)

(Also, the patches in XSA-120 v4 and earlier were incomplete.  This
incompleteness is CVE-2015-8553.  Additional patches are supplied in
XSA-120 v5 and later to resolve this issue.)

IMPACT
======

In the event that the platform surfaces aforementioned UR responses as
Non-Maskable Interrupts, and either the OS is configured to treat NMIs
as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat
these errors as fatal, the host would crash, leading to a Denial of
Service.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through. Upstream Linux versions 3.1 and onwards are vulnerable
due to supporting PCI backend functionality. Other Linux versions as
well as other OS versions may be vulnerable too.

Any domain which is given access to a non-SR-IOV virtual function PCI
Express device can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI Express devices other
than SR-IOV virtual functions to untrusted guests.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patches resolves this issue for the
indicated versions of Linux, but only for ordinary PCI config space
accesses by the guest. See XSA-124 for all other cases.

xsa120.patch                   Linux 3.19
xsa120-addendum.patch          Linux 3.19
xsa120-classic.patch           linux-2.6.18-xen.hg
xsa120-classic-addendum.patch  linux-2.6.18-xen.hg

$ sha256sum xsa120*.patch
32441fd3930848f7533f74376648fbeb5e35870661e1259860fe10f9a1f67f88  xsa120.patch
32be0b76f5585e9258ebaed348b40b57014ee5163c313a0523fd46f55ac05210  xsa120-addendum.patch
ecd4568d418d6e275f1eebdba4867e7cfdc6a487292db0e9eff0e9e7e2c91826  xsa120-classic.patch
8b377abe56bebf5030587030bf231c2d5bc1f695e21cc4dfbbd348e9b616849c  xsa120-classic-addendum.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b+sMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZdPoH/21kxHFoITUDVYltYGgGFAHTyluC9ZuP4W0DT4D7
hDN5W5JBJmblrvyjJjPCs7WybfUuXm6XjvnANNrC26hTrJ0UQJNiuflQUHfnLk+X
nwo7CvDaPM1qcYTyUC6QfSClevU9vgyBwBaUI7uzf7D1cxS3XWiWgJhbd5wlK9sb
DuAJe6XM3m/SB8euMw3xv5y54D2X+KxwA+jRILLpRsfvq8XEZFg0856loi1aRFLs
hLu6JyR/bOEYeifkpkuXjCv78PsL3ookjuABha0/hXv7CGvwggkzf5Wtjnd/JeA3
Y7QTH5BATJ513YGuqnyRsZAVRMOKftzcsjQm84EwxuYaKx8=
=KDSF
-----END PGP SIGNATURE-----

Xenproject.org Security Team