insufficient TLB flushing / improper large page mappings with AMD IOMMUs

2018-11-2012:00:00

Xen Project

xenbits.xen.org

238

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

6.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

25.6%

JSON

ISSUE DESCRIPTION

In order to be certain that no undue access to memory is possible anymore after IOMMU mappings of this memory have been removed, Translation Lookaside Buffers (TLBs) need to be flushed after most changes to such mappings. Xen bypassed certain IOMMU flushes on AMD x86 hardware. (CVE-2018-19961)
Furthermore logic exists Xen to re-combine small page mappings into larger ones. Such re-combination could have occured in cases when it was not really safe/correct to do so. (CVE-2018-19962)

IMPACT

A malicious or buggy guest may be able to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access (information leak).

VULNERABLE SYSTEMS

Xen versions from at least 3.2 onwards are affected. Note that the situation is worse in 4.1 and earlier, in that there’s no flushing of the TLB at all.
Only systems with AMD x86 hardware with enabled IOMMU are affected.
ARM and Intel x86 systems, and AMD x86 systems without enabled IOMMU, are not affected.
Only systems where physical PCI devices are assigned to untrusted guests are vulnerable.