XSA-78

CVE-2013-6375

问题描述

http://xenbits.xen.org/xsa/advisory-78.html

Insufficient TLB flushing in VT-d (iommu) code

An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended.

logic error (pass wrong parameter)

Patch描述

http://xenbits.xen.org/xsa/xsa78.patch

VT-d: fix TLB flushing in dmapteclear_one()

The third parameter of _inteliommuiotlbflush() is to indicate whether the to be flushed entry was a present one. A few lines before, we bailed if !dmaptepresent(*pte), so there’s no need to check the flag here again - we can simply always pass TRUE here.

--- a/xen/drivers/passthrough/vtd/iommu.c
+++ b/xen/drivers/passthrough/vtd/iommu.c
@@ -646,7 +646,7 @@ static void dma_pte_clear_one(struct dom
     iommu_flush_cache_entry(pte, sizeof(struct dma_pte));
 
     if ( !this_cpu(iommu_dont_flush_iotlb) )
-        __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K , 0, 1);
+        __intel_iommu_iotlb_flush(domain, addr >> PAGE_SHIFT_4K, 1, 1);
 
     unmap_vtd_domain_page(page);

Consequence

Malicious guest administrators might be able to cause host-wide denial of service, or escalate their privilege to that of the host.

DoS, privilege escalation