[kernel-xen] Xen Security Advisory 131 (CVE-2015-4106) - Unmediated PCI register access in qemu

Steven Haigh netwiz at crc.id.au
Wed Jun 3 14:47:23 AEST 2015


            Xen Security Advisory CVE-2015-4106 / XSA-131
                              version 3

                Unmediated PCI register access in qemu

UPDATES IN VERSION 3
====================

Public release.

CVE assigned.

ISSUE DESCRIPTION
=================

Qemu allows guests to not only read, but also write all parts of the
PCI config space (but not extended config space) of passed through PCI
devices not explicitly dealt with for (partial) emulation purposes.

IMPACT
======

Since the effect depends on the specific purpose of the the config
space field, it's not possbile to give a general statement about the
exact impact on the host or other guests.  Privilege escalation, host
crash (Denial of Service), and leaked information all cannot be
excluded.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only HVM guests with their device model run in Dom0 can take advantage
of this vulnerability.

Only HVM guests which have been granted access to physical PCI devices
(`PCI passthrough') can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted HVM
guests.

This issue can also be avoided by only using PV guests.

It can also be avoided by configuring HVM guests with their device
model run in a separate (stub) domain.  (When using xl, this can be
requested with "device_model_stubdomain_override=1" in the domain
configuration file.)

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Fixed in:
xen-4.2.5-17
xen44-4.4.1-17
xen45-4.5.0-0.11

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or migitations is NOT permitted (except on
systems used and administered only by organisations which are members
of the Xen Project Security Issues Predisclosure List).  Specifically,
deployent on public cloud systems is NOT permitted.

This is because the altered PCI config space access behavior is visible
to guests.

Deployment is permitted only AFTER the embargo ends.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20150603/4449e59a/attachment.sig>


More information about the kernel-xen mailing list