-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2017-15590 / XSA-237
                              version 3

                  multiple MSI mapping issues on x86

UPDATES IN VERSION 3
====================

CVE assigned.

ISSUE DESCRIPTION
=================

Multiple issues exist with the setup of PCI MSI interrupts:
- - unprivileged guests were permitted access to devices not owned by
  them, in particular allowing them to disable MSI or MSI-X on any
  device
- - HVM guests can trigger a codepath intended only for PV guests
- - some failure paths partially tear down previously configured
  interrupts, leaving inconsistent state
- - with XSM enabled, caller and callee of a hook disagreed about the
  data structure pointed to by a type-less argument

IMPACT
======

A malicious or buggy guest may cause the hypervisor to crash, resulting
in Denial of Service (DoS) affecting the entire host.  Privilege
escalation and information leaks cannot be excluded.

VULNERABLE SYSTEMS
==================

All Xen versions from at 3.3 onwards are vulnerable.  Xen versions 3.2
and earlier are not vulnerable.

Only x86 systems are affected.  ARM systems are not affected.

Only guests which have a physical device assigned to them can exploit
the vulnerability.

MITIGATION
==========

Not passing through physical devices to untrusted guests will avoid
the vulnerability.

The vulnerability can be avoided if the guest kernel is controlled by
the host rather than guest administrator, provided that further steps
are taken to prevent the guest administrator from loading code into the
kernel (e.g. by disabling loadable modules etc) or from using other
mechanisms which allow them to run code at kernel privilege.

CREDITS
=======

This issue was discovered by Simon Gaiser of Qubes OS Project.

RESOLUTION
==========

Applying the appropriate attached set of patches resolves this issue.

xsa237-unstable/*.patch     xen-unstable
xsa237-4.9/*.patch          Xen 4.9.x
xsa237-4.8/*.patch          Xen 4.8.x, Xen 4.7.x
xsa237-4.6/*.patch          Xen 4.6.x
xsa237-4.5/*.patch          Xen 4.5.x

$ sha256sum xsa237* xsa237*/*
1d4d3fa452e91d235fd688761d695752bde2f2e91fd9b17f566c4cee23ae26d0  xsa237.meta
3259cd514ea80e3cbac5b72376b4e964afb3b2cabee347440ec2bdd6e585c513  xsa237-unstable/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device.patch
7ef53f6a5f3fc6952cb8411e31e0a670de5a78ab2c8176037db32cf147438aa6  xsa237-unstable/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s.patch
494a79332fc5f854f0dc7606669201717a41e5b89b44db2fb30607a326930bfb  xsa237-unstable/0003-x86-MSI-disallow-redundant-enabling.patch
503b58512c5336aff9692c0d0768f38ee956c0988fa3fad4d439f13814736e06  xsa237-unstable/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error.patch
dc5f27245e44582db682ac53f24007685ea2f8cb104bad9b4d6afeaa7c4e73d2  xsa237-unstable/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch
cd9cd248c4564552bbe847462d247b78ff6af1052198e6b6529178a8a624e1f6  xsa237-4.5/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device.patch
87bbb240323b3cce9767da73961d58436c436db6da614c62ade7640f87f748dd  xsa237-4.5/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s.patch
6a2e6772fa7b7a1683f7b1041f06757562622228635aedb8c760ebcd9ad0ff7a  xsa237-4.5/0003-x86-MSI-disallow-redundant-enabling.patch
c558ca347b6df9b430fbdaf9c9b8e3b203c273be1e2bb01aa3424773b88df91d  xsa237-4.5/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error.patch
60169e2016451e1c479c4f873ee6798b6abc46e3223a60a4b83bac20a7a3d27c  xsa237-4.5/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch
cd9cd248c4564552bbe847462d247b78ff6af1052198e6b6529178a8a624e1f6  xsa237-4.6/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device.patch
d39d1c0eaf2ba169b6596520b05930d280721c397fafa3414b6da6168e8b73ca  xsa237-4.6/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s.patch
494a79332fc5f854f0dc7606669201717a41e5b89b44db2fb30607a326930bfb  xsa237-4.6/0003-x86-MSI-disallow-redundant-enabling.patch
c558ca347b6df9b430fbdaf9c9b8e3b203c273be1e2bb01aa3424773b88df91d  xsa237-4.6/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error.patch
4cdcd71758d9e5b392c38aeafc9960a4f3ef5c109508e69b2218a8d8394edf0b  xsa237-4.6/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch
1ae6aefb86ba0c48a45ecc14ff56ea0bc3d9d354937668bcacadaed1225017a8  xsa237-4.8/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device.patch
bf2ca9cb99ee64d7db77d628cec1a84684c360fd36de433cbc78fbcde8095319  xsa237-4.8/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s.patch
494a79332fc5f854f0dc7606669201717a41e5b89b44db2fb30607a326930bfb  xsa237-4.8/0003-x86-MSI-disallow-redundant-enabling.patch
9a38899afd728d504382954de28657aa82af7da352eb4e45a5e615bd646834c5  xsa237-4.8/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error.patch
fef5c77f19e2c6229912f1fd19cbcb41c1ce554ff53be22198b2f34ea7a27314  xsa237-4.8/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch
c97819cdf567c9bb2c38083a941995f836d7dabe3c8bbedf2205e3996cfbce68  xsa237-4.9/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device.patch
d31a2d1053d377e7159060f24a7dbf1d5fd9ebd1f4e4556c4c16b3f409a81130  xsa237-4.9/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s.patch
494a79332fc5f854f0dc7606669201717a41e5b89b44db2fb30607a326930bfb  xsa237-4.9/0003-x86-MSI-disallow-redundant-enabling.patch
f8d8c9f70b22d735960393bce042f39caaaf12e42344394e6078461437fa39aa  xsa237-4.9/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error.patch
7f3955a8218850ee2cc9ddd9d11fdc25f526d32e80e189d063e3e779d448af40  xsa237-4.9/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJZ50QfAAoJEIP+FMlX6CvZT/YH/RNPskIGMXkly2KENMZjKIIe
n+PNYB0X1YYr0QS2ooMg2IWrA/3AcxC7IIldVTA0GTUFsg6hSSijAllZY7RtClO8
9hUAt1v3v2vsQ2IM5M+4+ADhGwmclMxYcjjjiZI4odA5qaM9s8v5VlPW048JBu2N
9r9KpEcOZ7o/QCZIZIn0Wzk3HK6CrFPQcTBAEaKuADJA8Ub3M0R61pgRRzJKOlIA
pzCrh7dr1bmmFPlb3UxklsaaW/Z9aOS6s21dAMjqcOEu3KVl0EPq56aW5K0o8Emn
C68MMs19kqXh1GnrtuPH5GeauKRNKxS3F/O6m3JupLc+YQkwmAyYg7cpPdciCLY=
=4/VD
-----END PGP SIGNATURE-----