oss-sec mailing list archives
Re: Xen Security Advisory 78 - Insufficient TLB flushing in VT-d (iommu) code
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 21 Nov 2013 00:55:13 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/20/2013 10:08 AM, Xen.org security team wrote:
Xen Security Advisory XSA-78 Insufficient TLB flushing in VT-d (iommu) code ISSUE DESCRIPTION ================= An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT ====== Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the attached patch resolves this issue. xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa78*.patch 2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e xsa78.patch $
Please use CVE-2013-6375 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSjbxgAAoJEBYNRVNeJnmT+rsQANa8v60e5q9IlEAYEjqb/Tar NqozqDg0BY5ujLOapUY8ZKP7vFJqy17E3WlQCz0Hzucxozn6XwqBD2GZwyHVy9m/ yH7sqoTrlJfhl+sC2FAU9eR0y7U1+Z1yXSF4aXmXZgUfawa+36X8e+FYDzV30hqe zYf6CxhZoiZ6Ngb5rH+Rtup4pdH4nuSULrgv3gir1EBCIBv8ElMItslGCbbvwv5J AizlzJThJZmZN6DblJewzFaddmT5YMVDuzvRWGav0dBFkDHdlPqdNx5CSDF33I/h tPXYH8ecgP8IXpSMeW+YgRLnq5B4WTQiXoiJz8VqsvbwrmUEZz85IkVmpznnfBkf WqGrgUT0Y1S0w2N309xyz/VM+QIgTRjhUDlgyLunEQaIS183c9wuYMAEAEgLLj6D R1gul6PM5d6nsNSt2AvRAd01Fr3fmZorQXxjyhY/AP1YDTbDsshcjRirEXhowjUk WEcNmDEK1OyigilospoHLMBChYiY5SulMc/J1uMFsMHhY9kPa7321KNvM/9wMxyx 2tOZUN6J5r2tbDYtifOH9pyd38Ezi86HJUeniFWqn5sKMquWydKIczx6AbKrrmqW 5U7qGQS3PNj9w+AC+pUhn9T5x6LyPrsRK1qqfIHnKg/1uXMSJwfDKI1vHFfWBoZD qaBYD1JWmWc/va1D8mKB =Ra7v -----END PGP SIGNATURE-----
Current thread:
- Xen Security Advisory 78 - Insufficient TLB flushing in VT-d (iommu) code Xen . org security team (Nov 20)
- Re: Xen Security Advisory 78 - Insufficient TLB flushing in VT-d (iommu) code Kurt Seifried (Nov 21)