Xen project Mailing List

Re: [Xen-devel] [PATCH][XSA-126] xen: limit guest control of PCI command register

To: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Wed, 1 Apr 2015 10:41:12 +0100

Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, pmatouse@xxxxxxxxxx, qemu-devel@xxxxxxxxxx

Delivery-date: Wed, 01 Apr 2015 09:47:54 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 01/04/15 10:20, Stefano Stabellini wrote: > CC'ing the author of the patch and xen-devel. > FYI I think that Jan is going to be on vacation for a couple of weeks. > > On Wed, 1 Apr 2015, Michael S. Tsirkin wrote: >> On Tue, Mar 31, 2015 at 03:18:03PM +0100, Stefano Stabellini wrote: >>> From: Jan Beulich <jbeulich@xxxxxxxx> >>> >>> Otherwise the guest can abuse that control to cause e.g. PCIe >>> Unsupported Request responses (by disabling memory and/or I/O decoding >>> and subsequently causing [CPU side] accesses to the respective address >>> ranges), which (depending on system configuration) may be fatal to the >>> host. >>> >>> This is CVE-2015-2756 / XSA-126. >>> >>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> >>> Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx> >>> Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx> >> The patch description seems somewhat incorrect to me. >> UR should not be fatal to the system, and it's not platform >> specific. > I think that people have been able to repro this, but I'll let Jan > comment on it. Depending on how the BIOS sets up AER (if even available), a UR can very easily be fatal to the system. If firmware first mode is set, Xen (or indeed Linux) can't fix a problematic setup. Experimentally, doing so can cause infinite loops in certain vendors SMM handlers. > > >> In particular, there could be more reasons for devices >> to generate URs, for example, if they get a transaction >> during FLR. I don't think we ever tried to prevent this. > That cannot be triggered by guest behaviour. What cannot be triggered by guest behaviour? Many devices have secondary access into config space via a BAR, which allows a guest driver full and unmediated control of everything. Under Xen, we have covered this with XSA-124 which basically says that for such devices, all bets are off. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.