XSA-87

CVE-2014-1666

问题描述

http://xenbits.xen.org/xsa/advisory-87.html

PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests

The PHYSDEVOP_{prepare,release}_msix operations are supposed to be available to privileged guests (domain 0 in non-disaggregated setups) only, but the necessary privilege check was missing.

privilege uncheck (missing)

Patch描述

http://xenbits.xen.org/xsa/xsa87-4.2.patch

--- a/xen/arch/x86/physdev.c
+++ b/xen/arch/x86/physdev.c
@@ -612,7 +612,9 @@ ret_t do_physdev_op(int cmd, XEN_GUEST_H
     case PHYSDEVOP_release_msix: {
         struct physdev_pci_device dev;
 
-        if ( copy_from_guest(&dev, arg, 1) )
+        if ( !IS_PRIV(v->domain) )
+            ret = -EPERM;
+        else if ( copy_from_guest(&dev, arg, 1) )
             ret = -EFAULT;
         else
             ret = pci_prepare_msix(dev.seg, dev.bus, dev.devfn,

增加一些权限检查

Consequence

Malicious or misbehaving unprivileged guests can cause the host or other guests to malfunction. This can result in host-wide denial of service.

DoS