-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-4104 / XSA-129 version 2 PCI MSI mask bits inadvertently exposed to guests UPDATES IN VERSION 2 ==================== Public release. CVE assigned. ISSUE DESCRIPTION ================= The mask bits optionally available in the PCI MSI capability structure are used by the hypervisor to occasionally suppress interrupt delivery. Unprivileged guests were, however, nevertheless allowed direct control of these bits. IMPACT ====== Interrupts may be observed by Xen at unexpected times, which may lead to a host crash and therefore a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Only HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability. Furthermore, the vulnerability is only applicable when the passed-through PCI devices are MSI-capable. (Most modern devices are.) MITIGATION ========== This issue can be avoided by not assigning MSI capable PCI devices to untrusted HVM guests. This issue can also be avoided by only using PV guests. It can also be avoided by configuring HVM guests with their device model run in a separate (stub) domain. (When using xl, this can be requested with "device_model_stubdomain_override=1" in the domain configuration file.) CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa129-qemuu.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x xsa129-qemuu-4.3.patch Xen 4.3.x xsa129-qemut.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa129*.patch 3c6b5a085eec3a528b18207ca65222300911fd25501a9ffaffa76a5d85d23992 xsa129-qemut.patch 314808fbaa97d06bc4bb6cb6644dca1ae2da55534661c662c6e442d5b91e6061 xsa129-qemuu-4.3.patch 9f0658e197c539306118723d63b468d09fe3a1d9f9364f6d06e53b7be8268bdc xsa129-qemuu.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or migitations is NOT permitted (except on systems used and administered only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployent on public cloud systems is NOT permitted. This is because the altered PCI config space access behavior is visible to guests. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVbbdRAAoJEIP+FMlX6CvZe+4H/RcQcEsggqHg5eK/9yowQV1c erLWwpP18+v1pSRKqC+In/snL4g6H1DiC7ezwEbyQzOA8GGgiikTHqyTyFATvEHN hCwMgYW4ZYcR/euqJ7kgi7q368+39sM6ZzEnKCwr4GUeWLtBh+6ABeih5XlfjyfS 0HWuw+NBkT7IcIR/KaQwa17or3fZ2cZKq1NU4EksFjuD+ucMS7a4sPs1SztoSbXc Qf5TZn0XsDWoAodX/EmI4xRubpKL6Ae6noOCkBDelssvwzIhR1rZfFL8qALy+axf vb4le4Woy7USkWssOURSvkY8iMio25qvwGFxORzI9x4ImMU+XC+r6QSCLER202Q= =VQRQ -----END PGP SIGNATURE-----