Bug 851386 (CVE-2013-6375) - VUL-0: CVE-2013-6375: xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) code
Summary: VUL-0: CVE-2013-6375: xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) ...
Status: RESOLVED FIXED
Alias: CVE-2013-6375
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:55163:moderate maint:r...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-20 17:12 UTC by Marcus Meissner
Modified: 2013-12-19 21:06 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xsa78.patch (872 bytes, patch)
2013-11-20 17:12 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-11-20 17:12:14 UTC 
is public, via oss-sec

                    Xen Security Advisory XSA-78

           Insufficient TLB flushing in VT-d (iommu) code

ISSUE DESCRIPTION
=================

An inverted boolean parameter resulted in TLB flushes not happening
upon clearing of a present translation table entry.  Retaining stale
TLB entries could allow guests access to memory that ought to have
been revoked, or grant greater access than intended.

IMPACT
======

Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

Only systems using Intel VT-d for PCI passthrough are vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was disclosed publicly on the xen-devel mailing list.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa78.patch        Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa78*.patch
2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e  xsa78.patch
$
Comment 1 Marcus Meissner 2013-11-20 17:12:48 UTC 
Created attachment 568294 [details]
xsa78.patch

xsa78.patch
Comment 2 Swamp Workflow Management 2013-11-20 23:00:16 UTC 
bugbot adjusting priority
Comment 3 Charles Arnold 2013-11-25 21:13:13 UTC 
Xen is submitted for SLE11-SP3 SR#: 29549
Comment 5 Swamp Workflow Management 2013-12-16 10:05:30 UTC 
openSUSE-SU-2013:1876-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 845520,848657,849665,849667,849668,851386,851749
CVE References: CVE-2013-4416,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554
Sources used:
openSUSE 13.1 (src):    xen-4.3.1_02-4.4
Comment 6 Marcus Meissner 2013-12-19 15:43:51 UTC 
done
Comment 7 Swamp Workflow Management 2013-12-19 17:48:56 UTC 
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)
Comment 8 Swamp Workflow Management 2013-12-19 21:06:23 UTC 
SUSE-SU-2013:1923-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 833483,840997,842417,846849,848014,848657,849665,849667,849668,851386
CVE References: CVE-2013-1922,CVE-2013-2007,CVE-2013-4375,CVE-2013-4416,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.3_08-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.3_08-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.3_08-0.7.1