XSA-49

CVE-2013-1952

问题描述

http://xenbits.xen.org/xsa/advisory-49.html

VT-d interrupt remapping source validation flaw for bridges

Interrupt remapping table entries for MSI interrupts set up by bridge devices did not get any source validation set up on them, allowing misbehaving or malicious guests to inject interrupts into the domain owning the bridges.

In a typical Xen system bridge devices are owned by domain 0, leaving it vulnerable to such an attack. Such a DoS is likely to have an impact on other guests running in the system.

lack of check (invalid interrupt source)

Patch描述

http://xenbits.xen.org/xsa/xsa49-4.2.patch

VT-d: don’t permit SVTNOVERIFY entries for known device types

Only in cases where we don’t know what to do we should leave the IRTE blank (suppressing all validation), but we should always log a warning in those cases (as being insecure).

--- a/xen/drivers/passthrough/vtd/intremap.c
+++ b/xen/drivers/passthrough/vtd/intremap.c
@@ -440,16 +440,15 @@ static void set_msi_source_id(struct pci
     type = pdev_type(seg, bus, devfn);
     switch ( type )
     {
+    case DEV_TYPE_PCIe_ENDPOINT:
     case DEV_TYPE_PCIe_BRIDGE:
     case DEV_TYPE_PCIe2PCI_BRIDGE:
-    case DEV_TYPE_LEGACY_PCI_BRIDGE:
-        break;
-
-    case DEV_TYPE_PCIe_ENDPOINT:
         set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn));
         break;
 
     case DEV_TYPE_PCI:
+    case DEV_TYPE_LEGACY_PCI_BRIDGE:
+    /* case DEV_TYPE_PCI2PCIe_BRIDGE: */
         ret = find_upstream_bridge(seg, &bus, &devfn, &secbus);
         if ( ret == 0 ) /* integrated PCI device */
         {
@@ -461,10 +460,15 @@ static void set_msi_source_id(struct pci
             if ( pdev_type(seg, bus, devfn) == DEV_TYPE_PCIe2PCI_BRIDGE )
                 set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16,
                             (bus << 8) | pdev->bus);
-            else if ( pdev_type(seg, bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE )
+            else
                 set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16,
                             PCI_BDF2(bus, devfn));
         }
+        else
+            dprintk(XENLOG_WARNING VTDPREFIX,
+                    "d%d: no upstream bridge for %04x:%02x:%02x.%u\n",
+                    pdev->domain->domain_id,
+                    seg, bus, PCI_SLOT(devfn), PCI_FUNC(devfn));
         break;
 
     default:

Consequence

A malicious domain, given access to a device which bus mastering capable, can mount a denial of service attack affecting the whole system.

DoS