[kernel-xen] Xen Security Advisory 78 - Insufficient TLB flushing in VT-d (iommu) code
Steven Haigh
netwiz at crc.id.au
Wed Nov 27 11:06:12 EST 2013
Xen Security Advisory XSA-78
Insufficient TLB flushing in VT-d (iommu) code
ISSUE DESCRIPTION
=================
An inverted boolean parameter resulted in TLB flushes not happening
upon clearing of a present translation table entry. Retaining stale
TLB entries could allow guests access to memory that ought to have
been revoked, or grant greater access than intended.
IMPACT
======
Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.
VULNERABLE SYSTEMS
==================
Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.
Only systems using Intel VT-d for PCI passthrough are vulnerable.
MITIGATION
==========
This issue can be avoided by not assigning PCI devices to untrusted
guests on systems supporting Intel VT-d.
NOTE REGARDING LACK OF EMBARGO
==============================
This issue was disclosed publicly on the xen-devel mailing list.
RESOLUTION
==========
Fixed in xen-4.2.3-10
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20131127/c9c1825c/attachment.sig>
More information about the kernel-xen
mailing list