-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2015-4103 / XSA-128 version 2 Potential unintended writes to host MSI message data field via qemu UPDATES IN VERSION 2 ==================== Public release. CVE assigned. ISSUE DESCRIPTION ================= Logic is in place to avoid writes to certain host config space fields when the guest must nevertheless be able to access their virtual counterparts. A bug in how this logic deals with accesses spanning multiple fields allows the guest to write to the host MSI message data field. While generally the writes write back the values previously read, their value in config space may have got changed by the host between the qemu read and write. In such a case host side interrupt handling could become confused, possibly losing interrupts or allowing spurious interrupt injection into other guests. IMPACT ====== Certain untrusted guest administrators may be able to confuse host side interrupt handling, leading to a Denial of Service. VULNERABLE SYSTEMS ================== Xen versions 3.3 and onwards are vulnerable due to supporting PCI pass-through. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only HVM guests with their device model run in Dom0 can take advantage of this vulnerability. Only HVM guests which have been granted access to physical PCI devices (`PCI passthrough') can take advantage of this vulnerability. Furthermore, the vulnerability is only applicable when the passed-through PCI devices are MSI-capable. (Most modern devices are.) MITIGATION ========== This issue can be avoided by not assigning MSI capable PCI devices to untrusted HVM guests. This issue can also be avoided by only using PV guests. It can also be avoided by configuring HVM guests with their device model run in a separate (stub) domain. (When using xl, this can be requested with "device_model_stubdomain_override=1" in the domain configuration file.) CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. xsa128-qemuu.patch qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x xsa128-qemuu-4.3.patch Xen 4.3.x xsa128-qemut.patch qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x $ sha256sum xsa128*.patch 68b85a4c7d531d343d7fac2e92dbec3677bc2e4a83de75d78d7f605a2fc8ad3f xsa128-qemut.patch 2ec657a6f22cac922854548c9d83698656ab7a36634ad05de7f14439cc4405bc xsa128-qemuu-4.3.patch 104cf2e2816d253cc1eca3084f6ea9b6007f7773a88bda245bab00539e08b359 xsa128-qemuu.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJVbbdOAAoJEIP+FMlX6CvZEPUIAIti0HdxCX4JNy5MKqNFxHRB KtGibssSaoGcPmkhLDqtOQ+8BwTUe/owezKlX799Jf0Jqn1bVXejCLyh0e6cyauq pPoyQd+zblIpTFw3ByqVzicLajmVfY5v8yGGBAnSpuvfVEd3K5qWZCvFx+rEJ4AB JI8jQdMAn2oFGtLbYDysRUpSjg/OtqIC6o3a4yfVnPDcduPq9XFpnxcdHHVfrklS SeY1MGLbJtrNzya+zX1GZxFh5kuZnF/qSY3o60LF+2ZpK9nyH8toX1flvW9lXa86 9r1zxgy6qE1iWOHo4E1HjlK3lUUqW0XgkB/3zj+2LtX1uTwOhPtATn5/Neje0GY= =4I3/ -----END PGP SIGNATURE-----