Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484478 (CVE-2013-4329) - <app-emulation/xen-4.3.2: libxl partially sets up HVM passthrough even with disabled iommu (CVE-2013-4329)
Summary: <app-emulation/xen-4.3.2: libxl partially sets up HVM passthrough even with d...
Status: RESOLVED FIXED
Alias: CVE-2013-4329
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-10 14:07 UTC by Agostino Sarubbo
Modified: 2014-07-16 16:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-10 14:07:27 UTC
From ${URL} :

                    Xen Security Advisory XSA-61

     libxl partially sets up HVM passthrough even with disabled iommu

ISSUE DESCRIPTION
=================

With HVM domains, libxl's setup of PCI passthrough devices does the
IOMMU setup after giving (via the device model) the guest access to
the hardware and advertising it to the guest.

If the IOMMU is disabled the overall setup fails, but after the device
has been made available to the guest; subsequent DMA instructions from
the guest to the device will cause wild DMA.

IMPACT
======

A HVM domain, given access to a device which bus mastering capable in
the absence of a functioning IOMMU, can mount a privilege escalation
or denial of service attack affecting the whole system.

VULNERABLE SYSTEMS
==================

1. Only systems which pass busmastering-capable PCI devices through to
   untrusted guests are vulnerable.  (Most PCI devices are
   busmastering-capable.)

2. Only systems which use libxl as part of the toolstack are
   vulnerable.

   The major consumer of libxl functionality is the xl toolstack which
   became the default in Xen 4.2.

   In addition to this libvirt can optionally make use of libxl. This
   can be queried with
           # virsh version
   which will report "xenlight" if libxl is in use.  libvirt currently
   prefers the xend backend if xend is running.

   The xend and xapi toolstacks do not currently use libxl.

3. Only Xen versions 4.0.x through 4.2.x are vulnerable.

4. Only HVM domains can take advantage of this vulnerability.

5. Systems which have a functioning IOMMU are NOT vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to HVM guests when
there is no functioning IOMMU.

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was disclosed publicly on xen-devel; the person reporting
it did not appreciate that it was a security issue.  Additionally the
patch to fix the issue was already applied to the respective branches
(in particular resulting in Xen 4.3 not being vulnerable).  Under the
circumstances the Xen.org security team do not consider that this
advisory should be embargoed.

Also, we apologise for the delay to this advisory message, which was
due to an oversight by us.

CREDITS
=======

George Dunlap found the issue as a bug, which on examination by the
Xenproject.org Security Team turned out to be a security problem.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa61-4.1.patch             Xen 4.1.x
xsa61-4.2-unstable.patch    Xen 4.2.x, xen-unstable



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2013-09-11 15:50:34 UTC
this is fixed in xen-4.2.3
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-09-13 15:49:14 UTC
CVE-2013-4329 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4329):
  The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is
  disabled, provides access to a busmastering-capable PCI passthrough device
  before the IOMMU setup is complete, which allows local HVM guest domains to
  gain privileges or cause a denial of service via a DMA instruction.
Comment 3 Yixun Lan archtester gentoo-dev 2014-06-11 01:58:22 UTC
see comment#1, this is already fixed in >=xen-4.3.2, so no in tree versions are affected.

thanks
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-06-11 02:10:19 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-07-16 16:46:24 UTC
This issue was resolved and addressed in
 GLSA 201407-03 at http://security.gentoo.org/glsa/glsa-201407-03.xml
by GLSA coordinator Mikle Kolyada (Zlogene).