WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthro

from [Joanna Rutkowska] [Permanent Link][Original]
To: Jan Beulich <JBeulich@xxxxxxxxxx>
Subject: Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI
From: Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 13 May 2011 13:08:16 +0200
Cc: Keir Fraser <keir@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Delivery-date: Fri, 13 May 2011 04:07:06 -0700
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=messagingengine.com; h=message-id:date:from:mime-version:to:cc:subject:references:in-reply-to:content-type; s=smtpout; bh=hcVxEBUoye0qLrWJ0PiQcMIu5mo=; b=gPPco8pnB/uF6ZP1iB7mD/Uz6lopQBQFH1Mmaf3G/h+vQEWXH8HcRmotxu4+GM79tuv2Nu3aX0NnqC5x+8wCcJ+pWnFx1Ob2gJipo9uu+llpGykTNJIZcKnCi+X2UDJ9R/MucwS9Qb/rzn3sMY8J8PjtsDEymbtOGfz8AyHgQZ4=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4DCD030902000078000412C8@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <19915.58644.191837.671729@xxxxxxxxxxxxxxxxxxxxxxxx> <4DCD030902000078000412C8@xxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110421 Fedora/3.1.9-2.fc14 Lightning/1.0b3pre Thunderbird/3.1.9 
On 05/13/11 10:08, Jan Beulich wrote:
>>>> On 12.05.11 at 15:48, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> wrote:
>> Intel VT-d chipsets without interrupt remapping do not prevent a guest
>> which owns a PCI device from using DMA to generate MSI interrupts by
>> writing to the interrupt injection registers.  This can be exploited
>> to inject traps and gain control of the host.
> 
> Isn't that (or at least can't that be) prevented with DMA remapping?
> 

No. That's sort of the key point here, and the reason why IR hardware is
required.

>> The first patch is intended to reduce the impact from full privilege
>> escalation to denial of service.
>>  Filename: 00-block-msis-on-trap-vectors
>>  SHA1: 0fcc1914714c228e98b3e84597e06cb5de09003c
>>  SHA256: 998e8d5632ee6ad92f52796fe94923f9c38096c5adf2ca74209a6792436ea1e9
> 
> You modify only 64-bit and only VT-d code here. While I know you
> don't care much for it, doing the same for 32-bit would seem trivial.
> 
> As to AMD's IOMMU, it may well be that interrupt re-mapping isn't
> optional in the hardware (albeit it can be disabled on the command
> line, though that's the admin's security risk then), but the code
> having BUG_ON()s on failed allocations and those allocations
> happening in table parsing callbacks doesn't really make this
> explicit (for me at least) on the first glance.
> 
> Finally, wouldn't killing all guests that potentially could have caused
> the problem be a better measure than bringing down the host?
> 

Killing the guest might no longer be enough, because the guest might
have already programmed the device to keep sending malicious MSIs. So,
panic()ing the whole VMM seems like a safer choice. Keep in mind that on
a non-IR hardware there are probably many other ways for the malicious
driver domain to cause global DoS. (In fact, my impression is that most
people regarded IR as an anti-DoS mechanism, and I believe our paper is
the first to show that the problems were far worse than possible DoS.)

joanna.

> Jan
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] [PATCH] amd-iommu: two more __init annotations, Jan Beulich
Next by Date:  Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI, Ian Campbell
Previous by Thread:  Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI, Jan Beulich
Next by Thread:  Re: [Xen-devel] Xen security advisory CVE-2011-1898 - VT-d (PCI passthrough) MSI, Ian Campbell
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy