|Public release ||2013-01-08 12:00|
|Updated ||2013-01-11 17:10|
|Title ||VT-d interrupt remapping source validation flaw|
Filesadvisory-33.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2012-5634 / XSA-33
VT-d interrupt remapping source validation flaw
UPDATES IN VERSION 3
The patch supplied for Xen 4.1 (xsa33-4.1.patch) contained a build
error. A corrected patch is attached. The fix is also now available in
http://xenbits.xen.org/hg/xen-4.1-testing.hg as changeset
When passing a device which is behind a legacy PCI Bridge through to
a guest Xen incorrectly configures the VT-d hardware. This could allow
incorrect interrupts to be injected to other guests which also have
In a typical Xen system many devices are owned by domain 0 or driver
domains, leaving them vulnerable to such an attack. Such a DoS is
likely to have an impact on other guests running in the system.
A malicious domain, given access to a device which is behind a legacy
PCI bridge, can mount a denial of service attack affecting the whole
Xen version 4.0 onwards is vulnerable.
Only systems using Intel VT-d for PCI passthrough are vulnerable.
Any domain which is given access to a PCI device that is behind a
legacy PCI bridge can take advantage of this vulnerability.
Domains which are given access to PCIe devices only are not able to
take advantage of this vulnerability.
This issue can be avoided by not assigning PCI devices which are
behind a legacy PCI bridge to untrusted guests.
NOTE REGARDING EMBARGO TIMELINE
After discussion with the discloser we have decided to set a longer
than usual embargo in order to avoid public disclosure during the
Applying the appropriate attached patch resolves this issue.
xsa33-4.2-unstable.patch Xen 4.2.x, xen-unstable
xsa33-4.1.patch Xen 4.1.x
$ sha256sum xsa33*.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team