WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-4.1-testing] x86, vtd: [CVE-2011-1898] Protect agai

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-4.1-testing] x86, vtd: [CVE-2011-1898] Protect against malicious MSIs from untrusted devices.
From: Xen patchbot-4.1-testing <patchbot@xxxxxxx>
Date: Fri, 13 May 2011 16:16:21 +0100
Delivery-date: Fri, 13 May 2011 08:18:35 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir@xxxxxxx>
# Date 1305219827 -3600
# Node ID ed630a821de1442270d4f1c4228262e406fdeb2e
# Parent  bf9a086b4d63641c343e775b9240b6d2639006d9
x86, vtd: [CVE-2011-1898] Protect against malicious MSIs from untrusted devices.

In the absence of VT-d interrupt remapping support, a device can send
arbitrary APIC messages to host CPUs. One class of attack that results
is to confuse the hypervisor by delivering asynchronous interrupts to
vectors that are expected to handle only synchronous
traps/exceptions.

We block this class of attack by:
(1) setting APIC.TPR=0x10, to block all interrupts below vector
0x20. This blocks delivery to all architectural exception vectors.
(2) checking APIC.ISR[vec] for vectors 0x80 (fast syscall) and 0x82
(hypercall). In these cases we BUG if we detect we are handling a
hardware interrupt -- turning a potentially more severe infiltration
into a straightforward system crash (i.e, DoS).

Thanks to Invisible Things Lab <http://www.invisiblethingslab.com>
for discovery and detailed investigation of this attack.

Signed-off-by: Keir Fraser <keir@xxxxxxx>
xen-unstable changeset:   23337:cc91832a02c7
xen-unstable date:        Thu May 12 16:39:31 2011 +0100
---


diff -r bf9a086b4d63 -r ed630a821de1 xen/arch/x86/apic.c
--- a/xen/arch/x86/apic.c       Thu May 12 09:20:09 2011 +0100
+++ b/xen/arch/x86/apic.c       Thu May 12 18:03:47 2011 +0100
@@ -575,12 +575,9 @@
     init_apic_ldr();
 
     /*
-     * Set Task Priority to 'accept all'. We never change this
-     * later on.
+     * Set Task Priority to reject any interrupts below FIRST_DYNAMIC_VECTOR.
      */
-    value = apic_read(APIC_TASKPRI);
-    value &= ~APIC_TPRI_MASK;
-    apic_write_around(APIC_TASKPRI, value);
+    apic_write_around(APIC_TASKPRI, (FIRST_DYNAMIC_VECTOR & 0xF0) - 0x10);
 
     /*
      * After a crash, we no longer service the interrupts and a pending
@@ -1483,3 +1480,9 @@
 
     return 0;
 }
+
+void check_for_unexpected_msi(unsigned int vector)
+{
+    unsigned long v = apic_read(APIC_ISR + ((vector & ~0x1f) >> 1));
+    BUG_ON(v & (1 << (vector & 0x1f)));
+}
diff -r bf9a086b4d63 -r ed630a821de1 xen/arch/x86/x86_64/compat/entry.S
--- a/xen/arch/x86/x86_64/compat/entry.S        Thu May 12 09:20:09 2011 +0100
+++ b/xen/arch/x86/x86_64/compat/entry.S        Thu May 12 18:03:47 2011 +0100
@@ -10,12 +10,22 @@
 #include <asm/page.h>
 #include <asm/desc.h>
 #include <public/xen.h>
+#include <irq_vectors.h>
 
         ALIGN
 ENTRY(compat_hypercall)
         pushq $0
         movl  $TRAP_syscall,4(%rsp)
         SAVE_ALL
+
+        cmpb  $0,untrusted_msi(%rip)
+UNLIKELY_START(ne, msi_check)
+        movl  $HYPERCALL_VECTOR,%edi
+        call  check_for_unexpected_msi
+        RESTORE_ALL
+        SAVE_ALL
+UNLIKELY_END(msi_check)
+
         GET_CURRENT(%rbx)
 
         cmpl  $NR_hypercalls,%eax
diff -r bf9a086b4d63 -r ed630a821de1 xen/arch/x86/x86_64/entry.S
--- a/xen/arch/x86/x86_64/entry.S       Thu May 12 09:20:09 2011 +0100
+++ b/xen/arch/x86/x86_64/entry.S       Thu May 12 18:03:47 2011 +0100
@@ -296,6 +296,14 @@
         pushq $0
         SAVE_ALL
 
+        cmpb  $0,untrusted_msi(%rip)
+UNLIKELY_START(ne, msi_check)
+        movl  $0x80,%edi
+        call  check_for_unexpected_msi
+        RESTORE_ALL
+        SAVE_ALL
+UNLIKELY_END(msi_check)
+
         GET_CURRENT(%rbx)
 
         /* Check that the callback is non-null. */
diff -r bf9a086b4d63 -r ed630a821de1 xen/drivers/passthrough/vtd/iommu.c
--- a/xen/drivers/passthrough/vtd/iommu.c       Thu May 12 09:20:09 2011 +0100
+++ b/xen/drivers/passthrough/vtd/iommu.c       Thu May 12 18:03:47 2011 +0100
@@ -48,6 +48,9 @@
 static int sharept = 0;
 boolean_param("sharept", sharept);
 
+/* Possible unfiltered LAPIC/MSI messages from untrusted sources? */
+bool_t __read_mostly untrusted_msi;
+
 int nr_iommus;
 
 static void setup_dom0_devices(struct domain *d);
@@ -1582,6 +1585,14 @@
     if (!pdev)
         return -ENODEV;
 
+    /*
+     * Devices assigned to untrusted domains (here assumed to be any domU)
+     * can attempt to send arbitrary LAPIC/MSI messages. We are unprotected
+     * by the root complex unless interrupt remapping is enabled.
+     */
+    if ( (target != dom0) && !iommu_intremap )
+        untrusted_msi = 1;
+
     ret = domain_context_unmap(source, bus, devfn);
     if ( ret )
         return ret;

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-4.1-testing] x86, vtd: [CVE-2011-1898] Protect against malicious MSIs from untrusted devices., Xen patchbot-4 . 1-testing <=