Xen ProjectXSA-386PCI devices with RMRRs not deassigned correctly
7.6 High
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
57.3%
ISSUE DESCRIPTION
Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, “RMRR”). These are typically used for platform tasks such as legacy USB emulation.
If such a device is passed through to a guest, then on guest shutdown the device is not properly deassigned. The IOMMU configuration for these devices which are not properly deassigned ends up pointing to a freed data structure, including the IO Pagetables.
Subsequent DMA or interrupts from the device will have unpredictable behaviour, ranging from IOMMU faults to memory corruption.
This bug has existed since at least Xen 4.4 But it was previously masked by a tangentially-related misbehaviour; that misbehaviour was corrected in f591755823a7 IOMMU/PCI: don’t let domain cleanup continue when device de-assignment failed which was backported to supported stable branches.
IMPACT
Administrators of guests which have been assigned RMRR-using PCI devices can cause denial of service and other problems, possibly including escalation of privilege.
VULNERABLE SYSTEMS
For stable Xen releases: 4.13.4, 4.14.3 and 4.15.1 are vulnerable. Other versions of Xen released by the Xen Project are not affected.
For Xen git branches: the HEADs of 4.13 and later (including xen-unstable) were vulnerable, up until 2021-10-05 (when the patch in this advisory was committed). 4.12 and earlier are not affected.
In detail: code that has the following patch applied, is vulnerable: IOMMU/PCI: don’t let domain cleanup continue when device de-assignment failed That patch is currently in upstream stable branches 4.13 onwards and was included in the most recent stable point releases of each Xen version. Other downstream Xen builds may be affected if that patch was backported.
Only Intel x86 systems are affected. AMD x86 systems, and Arm systems, are all unaffected.
Only systems using PCI passthrough are affected. (And then, only if the assigned devices have RMRRs, but whether a device advertises RMRRs is not easy to discern.)
Related
7.6 High
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
57.3%