-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2024-31146 / XSA-461 version 2 PCI device pass-through with shared resources UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. IMPACT ====== The precise effects when shared resources are in use are system, device, guest, and resource specific. None of privilege escalation, information leaks, or Denial of Service (DoS) can be ruled out. VULNERABLE SYSTEMS ================== All systems making use of PCI pass-through are in principle vulnerable, when any kind of resource is shared. Just to re-iterate, even in the absence of resource sharing caveats apply to passing through of PCI devices to entirely untrusted guests. MITIGATION ========== Passing through only SR-IOV virtual functions or devices with well- separated resources will avoid this particular vulnerability. Passing through all devices sharing a given resource to the same guest will also avoid this particular vulnerability. RESOLUTION ========== Applying the appropriate attached patch documents this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa461.patch xen-unstable - Xen 4.16.x $ sha256sum xsa461* 2415504496508ad87c306aa7257e836d7c2f0bd8849656de5b586f0ab93fd17f xsa461.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because changing the nature of devices being passed through is very likely noticeable by the guest. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAma8sCkMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZLDkH/i6esACkik7iglEESFgCj0x6fc3KdpVzsCPznmsn uWZzBO9xuggoPOONJ70Or7tsIdaYDAkealZrBGreXlPEgd0MOtozLYrvB2IIqJEj cKyC4Y04VpBkynaOiLraFvUs0xyC0cew1NZdE/cxr9ewRvvrHVcyBI5GBAMKworh g4hjIDOR9ohhvxN2P7Yz59OY+Ojo57t+IlpvPPm+c53bARYR6H/cxyUDLYVlfrk2 iNPif7Wpi1PU/Sjz5XqBF5mXW+LLsLnbyw8Iyhnjqv1zC/tUdzl1INUBd24eHSjP aXnrlExoGAuvUcf/6YVfU0u2dB7iISGYAs2ESeYuxpJnZ8E= =LkWz -----END PGP SIGNATURE-----