libxl partially sets up HVM passthrough even with disabled iommu

Type xen
Reporter Xen Project
Modified 2013-09-11T12:13:00



With HVM domains, libxl's setup of PCI passthrough devices does the IOMMU setup after giving (via the device model) the guest access to the hardware and advertising it to the guest. If the IOMMU is disabled the overall setup fails, but after the device has been made available to the guest; subsequent DMA instructions from the guest to the device will cause wild DMA.


A HVM domain, given access to a device which bus mastering capable in the absence of a functioning IOMMU, can mount a privilege escalation or denial of service attack affecting the whole system.


  1. Only systems which pass busmastering-capable PCI devices through to untrusted guests are vulnerable. (Most PCI devices are busmastering-capable.)
  2. Only systems which use libxl as part of the toolstack are vulnerable. The major consumer of libxl functionality is the xl toolstack which became the default in Xen 4.2. In addition to this libvirt can optionally make use of libxl. This can be queried with # virsh version which will report "xenlight" if libxl is in use. libvirt currently prefers the xend backend if xend is running. The xend and xapi toolstacks do not currently use libxl.
  3. Only Xen versions 4.0.x through 4.2.x are vulnerable. Xen and 4.2.3, however, have the issue already fixed.
  4. Only HVM domains can take advantage of this vulnerability.
  5. Systems which have a functioning IOMMU are NOT vulnerable.