-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2023-34326 / XSA-442 version 2 x86/AMD: missing IOMMU TLB flushing UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions. IMPACT ====== Privilege escalation, Denial of Service (DoS) affecting the entire host, and information leaks. VULNERABLE SYSTEMS ================== All Xen versions supporting PCI passthrough are affected. Only x86 AMD systems with IOMMU hardware are vulnerable. Only x86 guests which have physical devices passed through to them can leverage the vulnerability. MITIGATION ========== Not passing through physical devices to guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Roger Pau Monné of XenServer. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa442.patch xen-unstable xsa442-4.17.patch Xen 4.17.x - Xen 4.16.x xsa442-4.15.patch Xen 4.15.x $ sha256sum xsa442* e897c24953f33e24557666975662f74bd634e354108e7df293c1f56179ee97a9 xsa442.patch e7413df9a217d674f8fa71cdcc18adc98201f4fca502a3bb632424e8afc32717 xsa442-4.15.patch 0690fab47c521cae2e14e4c0cf5fcb16a7e4278ef057413ce42e0611b0739070 xsa442-4.17.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUlNOoMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ9rkH/RHZ6djmDOQJhRPgxJnzXnkgd36RNXkZtnMzVeYD V4FP0QwvrkEjTfcPy/iDzkpbL9YPcr8DcXubmOuI+VxjFAlIyVkRIqOMaVKH509V ewlSMXhCLI+yG6s61K0PqQO4KPtzpKXlevqsSn/HF8ZCIyxXvd3UfNX08342RZZZ Aw6Wr6Q08TvDWE4CTuc1jxTcRiTHvdSd2rSAZznJbaluL/wmgoGvI2mG/NmYPe6E aItatb9C0mPfmT/meqa3JOzJ/IOfFw+TGPkXvfTu5C2b8aCfXjcGf26r33mvkQO8 A4wKf6wisxs8ZVl0qDB0u+u2N8ihUfjopLH7QTiQzg4StyY= =oXbA -----END PGP SIGNATURE-----