Bug 853048 (CVE-2013-6400) - VUL-0: CVE-2013-6400: xen: XSA-80: IOMMU TLB flushing may be inadvertently suppressed
Summary: VUL-0: CVE-2013-6400: xen: XSA-80: IOMMU TLB flushing may be inadvertently su...
Status: RESOLVED FIXED
Alias: CVE-2013-6400
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:56441
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-30 12:12 UTC by Marcus Meissner
Modified: 2015-02-19 01:35 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xsa80.patch (2.02 KB, patch)
2013-11-30 12:13 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-11-30 12:12:33 UTC 
EMBARGOED UNTIL 2013-12-10 12:00 UTC

             Xen Security Advisory CVE-2013-6400 / XSA-80
                              version 2

          IOMMU TLB flushing may be inadvertently suppressed

             *** EMBARGOED UNTIL 2013-12-10 12:00 UTC ***

UPDATES IN VERSION 2
====================

This issue has been assigned CVE-2013-6400.

ISSUE DESCRIPTION
=================

An internal flag is used to temporarily suppress IOMMU TLB flushes, in
order to consolidate multiple single page flushes into one wider
flush.  This flag is not cleared again, on certain error paths.  This
can result in TLB flushes not happening when they are needed.
Retaining stale TLB entries could allow guests access to memory that
ought to have been revoked, or grant greater access than intended.

IMPACT
======

Malicious guest administrators might be able to cause host-wide denial of
service, or escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Only VMs which have been assigned PCI devices can exploit the bug.
Only systems using Intel VT-d are vulnerable, since the bug is in the
VT-d specific code in Xen.

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa80-unstable.patch        Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa80*.patch
d15e627c59dd48e1cacb2fbcd5e2148975daa426df1f693b991d69201c048e77  xsa80.patch
$
Comment 1 Marcus Meissner 2013-11-30 12:13:16 UTC 
Created attachment 569725 [details]
xsa80.patch

patch attached to mail
Comment 2 Swamp Workflow Management 2013-11-30 23:00:56 UTC 
bugbot adjusting priority
Comment 3 Charles Arnold 2013-12-02 14:45:44 UTC 
This effects SLE11 SP3 and openSUSE 12.3/13.1
Comment 4 Sebastian Krahmer 2013-12-10 13:08:57 UTC 
went public
Comment 5 Charles Arnold 2014-02-25 18:07:25 UTC 
Xen package submitted for this bug with the following requests:

SUSE:SLE-11-SP3:Update:Test: SR#33408
openSUSE:13.1:Update: MR#223835
openSUSE:12.3:Update: MR#223847
Comment 6 jun wang 2014-03-05 09:38:39 UTC 
I am testing the bug, but I can't find the patch from comment#1 in xen sources.
It was named "28164-IOMMU-clear-don-t-flush-override-on-error-paths.patch"
in the xen spec file.

please check it.
Comment 10 Swamp Workflow Management 2014-03-13 19:52:03 UTC 
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-libs-x86, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)
Comment 11 Swamp Workflow Management 2014-03-13 23:07:28 UTC 
SUSE-SU-2014:0373-1: An update that solves 12 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 831120,833251,848014,853048,853049,858311,860092,860163,860165,860300,860302,861256,863297
CVE References: CVE-2013-2212,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.4_02-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.4_02-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.4_02-0.7.1
Comment 12 Alexander Bergmann 2014-04-01 12:05:33 UTC 
Fixed and released. Closing Bug.
Comment 13 Swamp Workflow Management 2014-04-04 14:05:22 UTC 
openSUSE-SU-2014:0482-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 831120,853048,853049
CVE References: CVE-2013-2212,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885
Sources used:
openSUSE 13.1 (src):    xen-4.3.2_01-12.1
Comment 14 Swamp Workflow Management 2014-04-04 14:09:05 UTC 
openSUSE-SU-2014:0483-1: An update that solves 16 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 831120,833251,833483,840997,842417,846849,848014,848657,849665,849667,849668,853048,853049,858311,858496,860163,860165,860300,860302,861256,863297
CVE References: CVE-2013-2212,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554,CVE-2013-6400,CVE-2013-6885,CVE-2014-1642,CVE-2014-1666,CVE-2014-1891,CVE-2014-1892,CVE-2014-1893,CVE-2014-1894,CVE-2014-1895,CVE-2014-1896,CVE-2014-1950
Sources used:
openSUSE 12.3 (src):    xen-4.2.4_02-1.26.2