|Public release ||2015-06-02 12:00|
|Updated ||2015-06-02 14:02|
|Title ||Potential unintended writes to host MSI message data field via qemu|
Filesadvisory-128.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2015-4103 / XSA-128
Potential unintended writes to host MSI message data field via qemu
UPDATES IN VERSION 2
Logic is in place to avoid writes to certain host config space fields
when the guest must nevertheless be able to access their virtual
counterparts. A bug in how this logic deals with accesses spanning
multiple fields allows the guest to write to the host MSI message data
While generally the writes write back the values previously read,
their value in config space may have got changed by the host between
the qemu read and write. In such a case host side interrupt handling
could become confused, possibly losing interrupts or allowing spurious
interrupt injection into other guests.
Certain untrusted guest administrators may be able to confuse host
side interrupt handling, leading to a Denial of Service.
Xen versions 3.3 and onwards are vulnerable due to supporting PCI
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only HVM guests with their device model run in Dom0 can take advantage
of this vulnerability.
Only HVM guests which have been granted access to physical PCI devices
(`PCI passthrough') can take advantage of this vulnerability.
Furthermore, the vulnerability is only applicable when the
passed-through PCI devices are MSI-capable. (Most modern devices
This issue can be avoided by not assigning MSI capable PCI devices to
untrusted HVM guests.
This issue can also be avoided by only using PV guests.
It can also be avoided by configuring HVM guests with their device
model run in a separate (stub) domain. (When using xl, this can be
requested with "device_model_stubdomain_override=1" in the domain
This issue was discovered by Jan Beulich of SUSE.
Applying the appropriate attached patch resolves this issue.
xsa128-qemuu.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
xsa128-qemuu-4.3.patch Xen 4.3.x
xsa128-qemut.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x
$ sha256sum xsa128*.patch
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team