Device quarantine for alternate pci assignment methods

ID XSA-306
Type xen
Reporter Xen Project
Modified 2019-11-26T11:59:00



XSA-302 relies on the use of libxl's "assignable-add" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these "alternate" methods are used will still leave the system in a vulnerable state after the device comes back from a guest.


An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation.


Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable. Only systems which use "alternate" methods to assign devices to pciback before assignment are vulnerable. These methods include: - Assigning devices on the Linux command-line using xen-pciback.hide - Assigning devices via xen-pciback module parameters - Assigning devices manually via sysfs - Assigning devices using libvirt Systems which use xl pci-assignable-add or libxl_device_pci_assignable_add, or have the assignable state handled automatically via setting the seize parameter, are not affected.