Xen project Mailing List

[Xen-devel] Xen Security Advisory 78 (CVE-2013-6375) - Insufficient TLB flushing in VT-d (iommu) code

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Thu, 21 Nov 2013 11:32:56 +0000

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Thu, 21 Nov 2013 11:33:22 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory CVE-2013-6375 / XSA-78 version 2 Insufficient TLB flushing in VT-d (iommu) code UPDATES IN VERSION 2 ==================== This issue has been assigned CVE-2013-6375. ISSUE DESCRIPTION ================= An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT ====== Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host. VULNERABLE SYSTEMS ================== Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable. MITIGATION ========== This issue can be avoided by not assigning PCI devices to untrusted guests on systems supporting Intel VT-d. NOTE REGARDING LACK OF EMBARGO ============================== This issue was disclosed publicly on the xen-devel mailing list. RESOLUTION ========== Applying the attached patch resolves this issue. xsa78.patch Xen 4.2.x, Xen 4.3.x, xen-unstable $ sha256sum xsa78*.patch bb13b280bb456c1d7c8f468e23e336e6b2d06eb364c6823f1b426fcfe09f6ed3 xsa78.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSje8rAAoJEIP+FMlX6CvZ1kkIALhafGTk2hNupn2YyvqaUchF P7lnff8PohFj9WRM3I5axrJGkZeOozjeRSbgaVwlg5UY1A6vNqtT9GSQtSWRWbk/ /0ysGvwbBTdRQeGhvENhpFOJRF/4TjGn1xmCBgQbmrhZuS9iAQvJL8yUY/HdCVyf gk9Vw/yuBZff15h97FH9M+zrdz+DbBTlR0t5HlVkLMvXyFkYIRafwaZVKWaH/C9y S1Wz6M9q1U9KrE8wBsNNHMgywdTiriCkzhfxEQbsPKnn/NFCOS0ehqct0JeZx100 Eritdmkr805EUCcFUdS5R1EDP6xiRUCUAdbL/tvTJExzmPEG0sg7kKWIArRujLU= =ZgNn -----END PGP SIGNATURE-----

Attachment: xsa78.patch
Description: Binary data

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.