x86/PV: page type reference counting issue with failed IOMMU update

ID XSA-291
Type xen
Reporter Xen Project
Modified 2019-03-05T12:21:00



When an x86 PV domain has a passed-through PCI device assigned, IOMMU mappings may need to be updated when the type of a particular page changes. Such an IOMMU operation may fail. In the event of failure, while at present the affected guest would be forcibly crashed, the already recorded additional type reference was not dropped again. This causes a bug check to trigger while cleaning up after the crashed guest.


Malicious or buggy x86 PV guest kernels can mount a Denial of Service (DoS) attack affecting the whole system.


Xen versions from 4.8 onwards are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. Only guests which are assigned a physical device can exploit this vulnerability. Guests which are not assigned physical devices cannot exploit this vulnerability.