CVE-2024-21823: Intel DSA and Intel IAA advisory

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html
was published yesterday covering OS/Hypervisor mitigations they recommend
to reduce exposure to a bug in certain recent Intel CPUs.

It states:

> Summary: 
>
> A potential security vulnerability in some Intel® Data Streaming Accelerator
> (Intel® DSA) and Intel® Analytics Accelerator (Intel® IAA) V1.0 for some
> Intel® 4th or 5th generation Xeon® processors may allow denial of service.
> Intel is releasing prescriptive guidance and software updates to mitigate
> this potential vulnerability.
>
> Vulnerability Details: 
>
> CVEID:  CVE-2024-21823
>
> Description: Hardware logic with insecure de-synchronization in Intel® DSA and
> Intel® IAA for some Intel® 4th or 5th generation Xeon® processors may allow an
> authorized user to potentially enable denial of service via local access.
>
> CVSS Base Score: 6.4 Medium
>
> CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H
>
> Recommendation:
>
> Intel recommends following the steps below to address these issues:
>
> Restrict untrusted usage of Intel® DSA/IAA devices on impacted Intel® 4th
> Generation and 5th Generation Xeon® scalable processors, from VM guest or
> 3rd party application. Intel has worked with the OS vendor to provide an
> updated Kernel to disallow direct access to Intel® DSA and IAA v1.0 devices
> by untrusted software. Intel recommends using the upstream or LTS Linux kernel
> with the updated driver containing mitigations. Please contact your OS vendor
> for updates.
>  
>
> In addition, Intel is publishing the following libraries for the updated Kernel
> version and recommends updating the following:
>
> - Intel® DSA Transparent Offload Library (DTO) to version 1.1 or later. Updates
>   are available for download at this location: https://github.com/intel/DTO
> - OFI Libfabric Shared Memory Provider to version 1.21.1 or later. Updates are
>   available for download at this location:
>   https://github.com/ofiwg/libfabric/releases
> - Intel® MPI Library before version October 2024 later. The library will be
>   updated for Intel OneAPI in October 2024.
> - Intel® Data Mover Library (DML) before version v1.2.0 or later. Updates are
>   available for download at this location: https://github.com/intel/DML
> - Intel® Query Processing Library (QPL) before version v1.6.0. Updates are
>   available for download at this location: https://github.com/intel/qpl
> - SPDK DSA Driver before version v24.9. Updates are available for download at
>   this location: https://github.com/spdk/spdk
[Further details, including a table of affected hardware, is in their advisory.]

https://bugzilla.redhat.com/show_bug.cgi?id=2278989 notes:

> The fix went public today in Linus' tree with the following commits:
>
> 95feb3160eef ("VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist")
> e11452eb071b ("dmaengine: idxd: add a new security check to deal with a hardware erratum")
> 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")

I don't know if any other open source kernels or hypervisors support this
hardware yet - if so, they will presumably need to publish equivalent
mitigations.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris