Insufficient TLB flushing in VT-d (iommu) code

2013-11-20T17:08:00
ID XSA-78
Type xen
Reporter Xen Project
Modified 2013-11-21T11:32:00

Description

ISSUE DESCRIPTION

An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended.

IMPACT

Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host.

VULNERABLE SYSTEMS

Xen 4.2.x and later are vulnerable. Xen 4.1.x and earlier are not vulnerable. Only systems using Intel VT-d for PCI passthrough are vulnerable.