-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-4106 / XSA-131 version 3 Unmediated PCI register access in qemu UPDATES IN VERSION 3 ==================== Public release. CVE assigned. ISSUE DESCRIPTION ================= Qemu allows guests to not only read, but also write all parts of the PCI config space (but not extended config space) of passed through PCI devices not explicitly dealt with for (partial) emulation purposes. IMPACT ====== Since the effect depends on the specific purpose of the the config space field, it's not possbile to give a general statement about the exact impact on the host or other guests. Privilege escalation, host crash (Denial of Service), and leaked information all cannot be excluded. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Only HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted HVM guests. This issue can also be avoided by only using PV guests. It can also be avoided by configuring HVM guests with their device model run in a separate (stub) domain. (When using xl, this can be requested with "device_model_stubdomain_override=1" in the domain configuration file.) CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa131-qemuu-$n.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x xsa131-qemuu-4.4-1.patch Xen 4.4.x replacement for xsa131-qemuu-1.patch xsa131-qemuu-4.3-$n.patch Xen 4.3.x xsa131-qemut-$n.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x xsa131-qemut-4.2-1.patch Xen 4.2.x replacement for xsa131-qemut-1.patch $ sha256sum xsa131*.patch 2ff4aa092247ff0911d837adc5f4de1ffa8ed32a39eaea9b0bfc4a40b7921b06 xsa131-qemut-1.patch dafa524374d890e517d4e2600a594064b55af645172422b9e81a64b5f4a64575 xsa131-qemut-2.patch b37d3e22ce4410bf0db87217c60a543f0143a23ab0652f1746bd5fe17dbadd70 xsa131-qemut-3.patch b5f0882717129142f11297a62b2ed826da94ce5ed42f6b2ea60f9101b652aed9 xsa131-qemut-4.2-1.patch 3bfc58b6288bafb4c2039265be32c6bd9e048b63a4cae279ead3ec1154af9abe xsa131-qemut-4.patch 60c44b63d2c7bd7e12631db7fd05622d782e1a5ccd7dfa17a1671b36b5ff7bee xsa131-qemut-5.patch 8f2a9c4333155fac670ad3a932703051ce8a47f4f6d3a067458e5ab49da7e93a xsa131-qemut-6.patch ed4facfa80b2ab7ecfc9b232878d3f4d54ad93214c75f4b4af71c8f07a1d04c4 xsa131-qemut-7.patch d400d03ae792699fec9a54bbb6b08c2f5523427ef8af85b0c5ede497ba87f61c xsa131-qemut-8.patch 7a7f294303a8bcf9a316e3e6b8a0511dac3e92dbf7e373b21c94b97835c03f2f xsa131-qemuu-1.patch dc72bd4993fdcea3dc98d18f314da3ac1c7e73e0b99dac325b0e59d0229f67e5 xsa131-qemuu-2.patch 61524a47fd29406ba9a2983ea9cb59e45a56d716d65d78689177d9c8e95f76e6 xsa131-qemuu-3.patch 21493c5db68115d97a6aecf1159ee05023b59545627d7f03d7fdaa238bb3bd27 xsa131-qemuu-4.3-1.patch 5828647db6f090ce6c7ea20f90331008f2a0bba18b3a3a371f2ba9054871a7cb xsa131-qemuu-4.3-2.patch eab05df32e8a7c729cc52affd28b109a8f75cabb8fd4027934059d303b2232fa xsa131-qemuu-4.3-3.patch 8dc95a2a8a45d851476b938e4cab2e65d87b8dc28c721949824ce900552ba489 xsa131-qemuu-4.3-4.patch 7a358fba18ae9c0dde1134564151a97c8e6d6f5982ac74c450f81d2ed8e9d540 xsa131-qemuu-4.3-5.patch fcb77a8d2adde1daf03f8faeb6e92788b2727f5b11563b6f770c74251b0964a4 xsa131-qemuu-4.3-6.patch 79933b2744e7b69c4eb23f3974d242e2592cb4553be115a4aec1c6e30e7564cf xsa131-qemuu-4.3-7.patch bb4021a36a9f36dc0082cfd42869adc737ec4afea92ac1100f0971118174b58c xsa131-qemuu-4.3-8.patch f70516fa38a3d2e0cf906c41e3b7dfd7cf998c9189b232dac20633c7b0d1ab8b xsa131-qemuu-4.4-1.patch 041c82a341755bcbab18f834a0fccf9c031674d956958092cbfa5e64f05b6318 xsa131-qemuu-4.patch 91aeb9c0d3e9a251faf12840e0519a342cfb7e35af3fea429bedb452182fae47 xsa131-qemuu-5.patch 60482fe37fd405032b92de85ed5d333c210c85662b1645016dce2f0053aa6ec0 xsa131-qemuu-6.patch 05fc2e614620449e52a056ce6e5f4033970ade22fde623e3b789fc57b3e4143e xsa131-qemuu-7.patch 358849d7c0dff29bf96f49e56d00c4d7bd4c8d0c71c122a7b3655e10f45cb53b xsa131-qemuu-8.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or migitations is NOT permitted (except on systems used and administered only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployent on public cloud systems is NOT permitted. This is because the altered PCI config space access behavior is visible to guests. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVbbdZAAoJEIP+FMlX6CvZ1yEIAKWoq6O8Nk8zewvKojXnmt0J irQ4p9uXBDN682d9Vloq+y86PSt5NLs83ZfAHWSkWPkkgyDXy4tmnte9LGMLmVI+ Z7nZs4dsH2bixFMJfqjKWE//py37TIVmI4M37xOgkNV8HTQJ0ZHWgYur5ilNJu9x HJ1duL3//+zkelA+zUQQSNMPvc2OUCSRGW5UVDwn95xJDAgURWe2d6c6bg8yG7T6 ufwO0x1CWTRaVsbLRSCST3NEVl7bxmYR5RBxlBaUIpgzT53aK3XHoiAezjTdK1Ul TiZ3Hb0XVtFbNEz2cCWQBEdQPKYhJjxpUBdRi9zlsiFwHa+lG+CA3i1IcqXIXQo= =tNVc -----END PGP SIGNATURE-----