[kernel-xen] Xen Security Advisory 80 (CVE-2013-6400) - IOMMU TLB flushing may be inadvertently suppressed

Steven Haigh netwiz at crc.id.au
Wed Dec 11 12:54:27 EST 2013


             Xen Security Advisory CVE-2013-6400 / XSA-80
                              version 3

          IOMMU TLB flushing may be inadvertently suppressed

UPDATES IN VERSION 3
====================

Public release.

Corrected explanatory text to refer to the correct patch filename.

ISSUE DESCRIPTION
=================

An internal flag is used to temporarily suppress IOMMU TLB flushes, in
order to consolidate multiple single page flushes into one wider
flush.  This flag is not cleared again, on certain error paths.  This
can result in TLB flushes not happening when they are needed.
Retaining stale TLB entries could allow guests access to memory that
ought to have been revoked, or grant greater access than intended.

IMPACT
======

Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Only VMs which have been assigned PCI devices can exploit the bug.

Only systems using Intel VT-d are vulnerable, since the bug is in the
VT-d specific code in Xen.

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted
guests on systems supporting Intel VT-d.

CREDITS
=======

This issue was discovered by Jan Beulich.

RESOLUTION
==========

Fixed in xen-4.2.3-11.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.wireless.org.au/pipermail/kernel-xen/attachments/20131211/74707545/attachment.sig>


More information about the kernel-xen mailing list