Bugzilla – Bug 724906
VUL-0: CVE-2011-1898: kernel: kvm: VT-d (PCI passthrough) MSI trap injection
Last modified: 2016-05-24 10:00:43 UTC
While we fixed this for XEN, we need to fix it for KVM too as it is also affected (apparently as Redhat has fixed it for KVM). +++ This bug was initially created as a clone of Bug #702025 +++ Hi. There is a security bug in package 'kvm' / Linux kernel. This bug is public. There is no coordinated release date (CRD) set. More information can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=715555 CVE number: CVE-2011-1898 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1898 CVSS v2 Base Score: 7.4 (important) (AV:A/AC:M/Au:S/C:C/I:C/A:C) Original posting: https://bugzilla.redhat.com/show_bug.cgi?id=715555 Petr Matousek 2011-06-23 06:28:57 EDT Problem description: Intel VT-d chipsets without interrupt remapping do not prevent a guest which owns a PCI device from using DMA to generate MSI interrupts by writing to the interrupt injection registers. This can be exploited to inject traps and gain control of the host. References: http://lists.xensource.com/archives/html/xen-devel/2011-05/msg00687.html http://theinvisiblethings.blogspot.com/2011/05/following-white-rabbit- software-attacks.html http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT- d.pdf
Please post the suggested patch to this bug. Stephan Mueller should have a look at it to be able to identify issues. Thanks!
In mainline linux kernel we have this patch: commit 3f68b0318bbbd61bf08478ab99a149f0d9e5156e Author: Alex Williamson <alex.williamson@redhat.com> Date: Thu Jul 14 13:27:03 2011 -0600 KVM: IOMMU: Disable device assignment without interrupt remapping IOMMU interrupt remapping support provides a further layer of isolation for device assignment by preventing arbitrary interrupt block DMA writes by a malicious guest from reaching the host. By default, we should require that the platform provides interrupt remapping support, with an opt-in mechanism for existing behavior. Both AMD IOMMU and Intel VT-d2 hardware support interrupt remapping, however we currently only have software support on the Intel side. Users wishing to re-enable device assignment when interrupt remapping is not supported on the platform can use the "allow_unsafe_assigned_interrupts=1" module option. [avi: break long lines] Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> Signed-off-by: Avi Kivity <avi@redhat.com>
I am not entirely sure that this patch fixes the issue completely. The exploit description in the PDF contains the following -- quote: For compatibility reasons, devices might still be allowed to generate interrupts in the compatibility format. According to the spec, this is allowed if both of the following conditions hold: 1. Extended Interrupt Mode (also called x2APIC) is not enabled, 2. The Compatibility Format Interrupt (CFI) field in the Global Command register is set, ==> The system shall therefore be secured if both settings are NOT present. According to the kernel code as far as I understand, the hardware analysis and the resulting setting of IOMMU_CAP_INTR_REMAP is done in iommu_set_intr_remapping(). If I understand the code there correctly, the code may set the flag when it finds an APIC as well as x2APIC. Moreover, the check for CFI does not seem to be present at all. Therefore, I currently do not understand why this patch is considered to be complete. Moreover, the actual device remapping must take place somewhere. Could you please help me finding that?
One more thing. The PDF references Xen patches which prevent the invocation of interrupt 0x82 from devices. Shouldn't we have a similar check for 0x80 as this interrupt is still there?
Bruce, can we please have some insight on this?
(In reply to comment #3) > I am not entirely sure that this patch fixes the issue completely. > > The exploit description in the PDF contains the following -- quote: > > For compatibility reasons, devices might still be allowed to generate > interrupts in the compatibility format. > According to the spec, this is allowed if both of the following > conditions hold: > 1. Extended Interrupt Mode (also called x2APIC) is not enabled, > 2. The Compatibility Format Interrupt (CFI) field in the Global Command > register is set, > > ==> The system shall therefore be secured if both settings are NOT present. > > According to the kernel code as far as I understand, the hardware analysis and > the resulting setting of IOMMU_CAP_INTR_REMAP is done in > iommu_set_intr_remapping(). If I understand the code there correctly, the code > may set the flag when it finds an APIC as well as x2APIC. Moreover, the check > for CFI does not seem to be present at all. > > Therefore, I currently do not understand why this patch is considered to be > complete. > From what I can tell, the CFI field in the Global Command Register never gets set under linux, so x2APIC being enabled or not is irrelevant: the compatibility format will not be allowed/accepted. > Moreover, the actual device remapping must take place somewhere. Could you > please help me finding that? I'm not sure what remapping you are talking about here.
(In reply to comment #4) > One more thing. The PDF references Xen patches which prevent the invocation of > interrupt 0x82 from devices. Shouldn't we have a similar check for 0x80 as this > interrupt is still there? As far as I can gather, an exploit against vector 0x80 (0x82 is Xen specific) is only reasonable when done from a PV guest, for similar reasons given as for the #AC case in the pdf doc. In other words, an attempt to exploit vector 0x80 will result in a DoS style attack and not in any ability to gain control.
My plan at the moment is to get this patch checked in for SLES 11 SP2 RC2, and get some feedback from others for SP1. The fix is already in the v3.1 kernel, and is appropriate in my estimation, but carries with it a non-trivial user impact. I would guess that most users today of pci-passthrough are not running on systems with interrupt remapping available or if available, then not enabled in the BIOS, or in the case of AMD, not supported by Linux yet. The fix causes pci-passthrough on these systems to no longer work, unless the kvm module parameter "allow_unsafe_assigned_interrupts=1" is used. The exploit requires of course a guest with a direct assigned pci device. But beyond that require a compromise of the guest OS. Even with that compromise, the main attack vector would be a DoS, whereas an actual security exploit would be extremely difficult. I would think that as a matter of policy, no one should be assigning a pci device to a guest without strict controls on what is running in that guest. So, for example, I don't believe kvm (or xen for that matter) is at the point of maturity of allowing pci passthrough to an arbitrary guest running in a cloud - the risk is too high in my estimation. I present these views to counter the need to fix this for SP1, with the accompanying change of behavior which pci-passthrough users will see. The customer should be informed of the potential for an exploit when passing through a pci device to a guest, but I'm thinking that that is as far as we go for SP1. SP2 will be out if a few months, and given the low likelihood of an exploit here, I think that should be the solution for SP1. For added perspective, RedHat apparently felt a fix for RHEL 5 was too intrusive, and is recommending their customers running that OS to "only use PCI passthough with trusted guests" (see RH bz#715555) Differing opinions are of course welcome.
> I would think that as a matter of policy, no one should be assigning a pci > device to a guest without strict controls on what is running in that guest. So, > for example, I don't believe kvm (or xen for that matter) is at the point of > maturity of allowing pci passthrough to an arbitrary guest running in a cloud - > the risk is too high in my estimation. Can you please shed some light on your concerns? Currently, my concerns would be: - access to the config space of a PCI device by untrusted guests may cause things like PCI bus lockups etc. - as we require that multi-function PCI devices to be fully assigned to one VM, there are no concerns
(In reply to comment #10) > > I would think that as a matter of policy, no one should be assigning a pci > > device to a guest without strict controls on what is running in that guest. So, > > for example, I don't believe kvm (or xen for that matter) is at the point of > > maturity of allowing pci passthrough to an arbitrary guest running in a cloud - > > the risk is too high in my estimation. > > Can you please shed some light on your concerns? Currently, my concerns would > be: > > - access to the config space of a PCI device by untrusted guests may cause > things like PCI bus lockups etc. > > - as we require that multi-function PCI devices to be fully assigned to one VM, > there are no concerns Well, I don't have anything in particular, but rather a gut feeling that there hasn't been enough analysis of potential issues, nor enough time passing without any security issues being discovered to have high confidence that there aren't still remaining exploits that could take place from a pci passthroughed guest. I think pci-passthrough hasn't really gotten the full attention needed to be marked as "known safe". But, as I said, this for me is just a gut feeling without hard facts to back it up.
Just FYI, I have added the following guidance to admins: As the core goal of the virtualization mechanism is the full isolation of the virtual machines from each other, the following configuration constraints MUST be considered by the administrator of the virtual machines. =over =item * Single-function PCI devices MAY be assigned to virtual machines. =item * SR-IOV PCIe devices MAY be assigned fully to one virtual machine. In addition, one individual virtual devices on these SR-IOV PCIe devices MAY be assigned to a virtual machine. Other virtual devices of the same SR-IOV PCIe MAY be assigned to the host system or another virtual machine. For more information on SR-IOV PCIe device assignment, see section L<"SR-IOV PCIe device assignment"> "SR-IOV PCIe device assignment". =item * When assigning multi-function PCI devices, all functions of the PCI device MUST be assigned to the same virtual machine. It is NOT permitted to assign a function to either a different virtual machine or the host system. As the evaluation cannot verify that such multi-function PCI devices do not have a channel between the different function, any assignment of the different functions to different virtual machines may break the separation functionality provided by the KVM implementation. Therefore, using the C<lspci> example above, all USB controllers (i.e. devices "00:1a.0", "00:1a.1", and "00:1a.7") would need to be assigned to one virtual machine if such USB controller functionality is required by the virtual machine. =back Please note that the PCI device assignment functionality assigns PCI devices. If such PCI devices link to subordinate devices, all these subordinate devices will be assigned to a virtual machine if the PCI device is assigned. For example, a FiberChannel PCI device is connected to several different disks. If that FiberChannel PCI device is assigned to a virtual machine, that virtual machine has full and complete control over all disks connected to the FiberChannel PCI device. Another example is the above mentioned USB Controller: if different USB devices are attached to that USB controller, all those devices will be fully and exclusively accessible by a virtual machine if that PCI device of a USB controller is assigned to the virtual machine. B<WARNING>: Neither the I<libvirtd> management daemon, nor the KVM functionality implement any constraints in which PCI, PCIe or SR-IOV PCIe devices can be assigned to a virtual machine. A virtual machine administrator may assign any device listed in the C<lspci> or C<lsusb> output to a virtual machine. This includes devices that are needed by the host system. For example, the above mentioned C<lspci> listing shows a VGA device which is in our example needed by the host as otherwise the host would be headless. I<libvirtd> now allows the virtual machine administrator to assign that VGA PCI device to a virtual machine. If the virtual machine administrator chooses to assign the VGA PCI device, the host system is not able to use that device any more! In case of a VGA PCI device, such a scenario may not cause any harm. But if the VM administrator would reassign the SCSI device providing the disks needed by the host system to a virtual machine, the host would simply crash as it would not have access to its disks and partitions any more. Therefore, virtual machine administrators have the ability to disrupt the operation of the host. The evaluated configuration does not place any constraints other than those listed above on which PCI devices are assigned to virtual machines. This gives the virtual machine administrator full flexibility over PCI device assignment configuration. However, the administrator MUST be very careful about which PCI devices are assigned.
The patch mentioned in comment#2 has been checked in for SLE11 SP2.
Reassigning to security-team@ for validation.
the text looks ok. i cannot really speak about the patches and their state.
openSUSE-SU-2013:0927-1: An update that solves 75 vulnerabilities and has 1406 fixes is now available. Category: security (low) Bug References: 176921,225091,299267,436025,439348,445872,458027,467688,468397,470671,476525,486001,501563,503038,527028,550447,550906,552250,556135,556234,556572,556959,557479,557710,560420,560454,561811,562046,562095,563905,564618,564635,564638,564640,565027,565124,565845,566332,566768,567283,567376,567474,567703,568147,568848,569050,569194,569238,569606,569687,569916,570284,570320,570492,570526,572119,572294,572661,572834,573237,573330,573401,573565,573722,573803,574006,574771,575047,575072,575073,575074,575181,575194,575199,575396,575409,575752,575884,575923,575956,576277,577203,577232,577355,577358,577529,577753,577771,577856,577937,577967,578046,578059,578429,578430,578572,578639,578927,578980,578981,579060,579111,579137,579439,579636,579639,579647,579682,580105,580140,580373,580381,580416,580793,580799,580823,580991,581057,581103,581188,581199,581567,581718,581940,582552,582643,582730,582872,582878,583022,583296,583356,583539,583677,583900,584197,584209,584218,584320,584343,584451,584453,584475,584508,584574,584617,584691,584728,584820,584875,584958,585034,585124,585179,585191,585241,585269,58529,585296,585385,585463,585490,585492,585608,585711,585743,586343,586364,586417,586684,586806,587073,587114,587125,587199,587427,587562,587669,587673,587681,587692,587739,587746,587782,588008,588929,588972,588994,589280,589449,589650,589651,589652,589654,589655,589656,589657,589660,589679,589804,589906,590154,590217,590401,590415,590585,590687,590705,590727,590856,590859,590926,590927,590937,590980,590995,590996,591039,591293,591318,591376,591377,591401,591473,591513,591556,591870,591950,592176,592472,592703,592943,593318,593319,593731,593934,594066,594131,594271,594305,594367,594391,594399,594473,594583,594586,594835,594997,595074,595215,595609,595755,595960,596031,596113,596460,596462,596646,596720,596783,596943,597120,597135,597583,597648,597650,598246,598253,598270,598308,598493,598553,598677,598837,599279,599671,599814,599955,600043,600256,600261,600364,600375,600516,600535,600579,600983,601168,601198,602150,602208,602232,602514,602838,602852,602969,602980,603148,603205,603387,603411,603464,603510,603528,603738,604183,605001,605321,605686,605947,606575,606743,606778,606797,606977,607123,607339,607448,607628,607890,608435,608478,609172,609196,609281,609506,610783,611094,611104,611760,612009,612407,612729,613171,613330,613542,613906,614226,614332,614349,614793,615003,615557,615630,616080,616088,616369,616464,616612,617248,617437,617464,618059,618072,618379,618424,618444,618767,619002,619007,619525,619536,619840,620020,620021,620443,620654,620904,620929,621203,621598,621715,622597,622635,622727,622868,623307,624020,624072,624340,624436,624814,624850,625167,625666,625674,626321,626880,627060,627386,627518,628180,628554,628604,629170,629263,629552,630068,630121,630132,630970,631075,631801,632317,632568,632974,632975,633026,633268,633543,633581,633585,633593,633733,634637,635425,635515,636435,636461,636561,636672,636850,637436,637502,637542,637639,637944,638258,638274,638277,638400,638613,638618,638807,638860,639161,639197,639728,639803,639944,640276,640278,640850,640878,641247,642009,642309,642313,642314,642449,642486,643173,643249,643266,643477,643513,643909,643914,643922,644219,644350,644373,644630,645659,645893,646045,646226,646542,646702,647392,647497,647567,647775,648112,648308,648647,648701,648916,649000,649187,649231,649257,649355,649473,649548,649820,650067,650109,650111,650113,650116,650185,650309,650366,650487,650545,650748,650897,651152,651218,651596,651599,651626,652024,652293,652391,652563,652603,652842,652939,652940,652945,653148,653258,653266,653800,653850,653930,654150,654169,654350,654501,654530,654581,654701,654837,654967,655027,655220,655278,655434,655964,655973,656219,656471,656587,657248,657324,657350,657412,657415,657763,658037,658254,658337,658353,658413,658461,658464,658551,658829,659101,659144,659394,659419,660507,660546,661605,662031,662202,662212,662335,662340,662360,662432,662673,662722,662800,662931,663313,663513,663537,663582,663678,663706,664149,664463,665480,665499,665524,665663,666012,666836,666842,666893,667226,667766,668483,668545,668633,668872,668895,668896,668898,668927,669058,669571,669740,670129,670154,670465,670615,670816,670864,670868,670979,671256,671274,671296,671479,671483,671943,672292,672453,672492,672923,673516,674189,674549,675115,675127,675963,676419,676890,677286,677391,677398,677563,677783,678531,678728,679301,679812,680809,680814,680845,681242,682076,682251,682319,682333,682482,682755,682940,682941,683107,683282,683569,684085,684297,684472,684852,684927,685226,685276,686325,686404,686702,686813,686921,686980,687046,687049,687065,687068,687478,687759,687760,687789,688326,688912,688996,689227,689230,689290,689435,689436,689596,689746,690073,690082,690611,690683,691216,691269,691408,691536,691538,691632,691633,691693,691714,691742,691829,691979,692343,692454,692459,692460,692709,693149,693513,693636,694963,694966,695066,695067,695243,695605,695898,696107,696586,697255,697777,697783,697913,697942,697944,698050,698053,698102,698269,698272,698524,698540,698548,698572,698604,698774,698776,698779,698793,698797,698801,698803,698949,699085,699087,699089,699092,699265,699354,699495,699534,699687,699701,699703,699842,699916,699946,699950,699990,700009,700080,700084,7000995,700332,700391,700401,700445,700448,700512,700514,700632,700637,700638,700777,700856,701163,701170,701183,701198,701622,701686,701977,702133,702384,702470,702604,702651,702736,702832,702838,703013,703100,703156,703204,703422,703426,703653,703786,704163,704280,704361,704592,704917,704957,705433,705472,705487,705551,705906,705962,706131,706410,706472,706473,706485,706557,706587,706696,706821,706838,706841,706882,706913,707094,707270,707389,707666,707988,708160,708204,708269,708274,708296,708376,708635,708636,708720,708730,708809,708836,709063,709064,709068,709075,709266,709269,709300,709332,709467,709528,709866,709974,710352,710790,710868,710969,711201,711285,711297,711378,711519,711566,711592,711684,711765,712404,712405,712420,712899,713134,713148,713448,713490,713675,713707,714096,714106,714215,714274,714552,714604,714605,714643,714786,714789,714911,715031,715496,715635,716023,716708,716850,716970,716971,717142,717160,717248,717263,717372,717500,717573,717574,717797,717840,717848,717884,717996,718149,718160,718165,718265,718279,718366,718401,718518,718521,718551,718831,718863,718910,718918,718936,718950,719029,719079,719090,719280,719296,719408,719592,719645,719693,719846,719911,719943,720075,720353,720451,720456,720457,720458,720459,720460,720536,720661,720674,720741,720750,720753,720946,720960,720996,721007,721042,721045,721206,721212,721239,721246,721337,721410,721464,721517,721587,721738,721840,721857,721874,722092,722260,722265,722414,722433,722437,722449,722560,722569,722635,722640,722646,722793,722795,722993,723008,723171,723597,723884,724014,724133,724227,724544,724577,724616,724620,724734,724800,724865,724906,725077,725208,725344,725346,725350,725355,725424,725592,725594,725709,725836,725878,726023,726075,726156,726176,726214,726309,726333,726400,726504,726699,726703,726710,726850,726999,727250,727324,727367,727415,727453,727493,727611,727638,727650,727793,727814,728035,728043,728086,728195,728329,728597,728626,729122,729466,729518,729548,7297470,729789,729840,729854,730103,730117,730265,730440,730660,730731,730749,731009,731029,731035,731261,731387,73149,731701,731739,731770,731809,731945,731999,732070,732082,732132,732178,732296,732335,732371,732471,732535,732582,733236,733248,733270,733390,733435,733543,733702,733761,733822,733863,734213,734522,734526,734771,734900,735216,735277,735369,735417,735543,735765,735800,735909,736018,736079,736182,736255,736257,736669,736743,736896,737328,737574,737833,737969,738056,738117,738210,738284,738400,738421,738528,738567,738583,738597,738679,738742,739020,739111,739356,739381,739728,739837,739856,740180,740281,740291,740347,740780,740866,740898,740969,740997,741117,741191,741478,741814,741824,741863,742181,742210,742279,742353,742570,742845,742871,743212,743232,743518,743579,743735,743978,744198,744206,744253,744314,744315,744392,744400,744404,744652,744655,744692,744758,744795,744963,745088,745400,745422,745424,745741,745867,745876,745929,746373,746454,746509,746526,746579,746717,746938,747071,747159,747404,747867,747878,747944,748112,748384,748456,748463,748629,748632,748806,748827,748854,748862,748896,749049,749115,749417,749543,749651,749787,749980,750041,750173,750402,750426,750459,750995,751015,751171,751322,751550,751743,751885,751903,751916,752022,752067,752352,752408,752484,752544,752599,752634,752972,753172,753353,753617,753698,754052,754085,754391,754428,754670,754690,754898,754969,755178,755537,755620,755758,755812,756050,756236,756276,756585,756821,756940,757059,757077,757202,757205,757289,757315,757373,757517,757565,757719,757783,757789,757950,758104,758279,758532,758540,758703,758731,758833,759336,759340,759539,759541,759657,759805,759908,759971,760015,760237,760279,760346,760806,760833,760974,761087,761158,761245,761387,761772,761774,761775,762099,762158,762214,762259,762285,762329,762366,762414,762424,762693,762991,762992,763026,763198,763267,763307,763463,763485,763628,763654,763717,763754,763858,763954,763968,764091,764150,764209,764339,764500,764717,764900,765253,765524,766027,766445,766654,766733,767281,767469,767610,767684,767983,768052,768084,768470,768504,768632,769035,769195,769251,769407,769685,770034,770238,770269,770695,770763,771102,771242,771361,771398,771428,771706,771778,772407,772420,772427,772454,772473,772483,772566,772786,772831,772893,773006,773007,773251,773267,773319,773320,773383,773406,773487,773606,773688,773699,773831,773878,774073,774289,774500,774523,774612,774859,774902,774964,774973,775182,775373,775394,775685,775984,776019,776044,776081,776095,776127,776144,776787,776896,777024,777269,777283,778082,778136,778334,778630,778822,779294,779330,779461,779462,779577,779699,779750,779969,780008,780012,780216,780461,780876,781018,781327,781484,781574,782369,782721,783965,784192,784334,784576,785100,785496,785554,785851,786976,787168,787202,787348,787821,787848,788277,788452,789010,789115,789235,789648,789703,789836,789993,790457,790498,790920,790935,791498,791853,791904,792270,792500,792656,792834,793104,793139,793593,793671,794231,794824,795354,797042,798960,799209,799275,799909,803056,804154 CVE References: CVE-2009-4537,CVE-2010-0415,CVE-2010-0622,CVE-2010-0623,CVE-2010-1173,CVE-2010-1437,CVE-2010-2798,CVE-2010-2803,CVE-2010-2943,CVE-2010-2946,CVE-2010-2959,CVE-2010-2960,CVE-2010-2962,CVE-2010-2963,CVE-2010-3015,CVE-2010-3078,CVE-2010-3079,CVE-2010-3080,CVE-2010-3084,CVE-2010-3437,CVE-2010-3699,CVE-2010-3705,CVE-2010-3861,CVE-2010-3874,CVE-2010-3875,CVE-2010-3876,CVE-2010-3877,CVE-2010-3880,CVE-2010-3881,CVE-2010-4072,CVE-2010-4073,CVE-2010-4075,CVE-2010-4076,CVE-2010-4077,CVE-2010-4082,CVE-2010-4083,CVE-2010-4157,CVE-2010-4158,CVE-2010-4160,CVE-2010-4162,CVE-2010-4163,CVE-2010-4165,CVE-2010-4169,CVE-2010-4175,CVE-2010-4243,CVE-2010-4251,CVE-2010-4258,CVE-2010-4342,CVE-2010-4529,CVE-2010-4656,CVE-2010-4668,CVE-2011-0521,CVE-2011-0710,CVE-2011-1573,CVE-2011-1593,CVE-2011-2479,CVE-2011-2494,CVE-2011-4097,CVE-2011-4127,CVE-2011-4131,CVE-2011-4622,CVE-2012-0045,CVE-2012-0056,CVE-2012-1179,CVE-2012-1601,CVE-2012-2133,CVE-2012-2372,CVE-2012-2373,CVE-2012-2390,CVE-2012-2745,CVE-2012-3412,CVE-2012-3430,CVE-2012-4461,CVE-2012-5517,CVE-2013-0871 Sources used: openSUSE 11.4 (src): drbd-8.3.11-10.1, iscsitarget-1.4.19-14.3, kernel-docs-3.0.58-30.3, kernel-source-3.0.58-30.1, kernel-syms-3.0.58-30.1, ndiswrapper-1.57rc1-16.2, omnibook-20100406-9.2, open-vm-tools-2012.8.8.1-37.2, preload-1.2-6.25.2, systemtap-1.4-1.5.1, virtualbox-4.0.12-0.54.2
We have this in SLE 11 SP3 and SLE 11 SP2 LTSS. SLE 11 SP1 LTSS is still missing this fix. Please include it so we can close this bug.
Assigning to Bruce.
we can now close this I think