CVE none (yet) assigned
non-standard PCI device functionality may render pass-through insecure
Devices with capabilities or defects that are undocumented or that virtualization software is unaware of may allow guests to control parts of the host that they shouldn’t be in control of. Here are some examples of the kind of problem:
- While XSA-120 deals with standard PCI config space accesses to the PCI control word, various devices have alternative methods to read and modify config space values. A guest which has been given such a device can definitely cause a host DoS; worse attacks cannot be ruled out.
- Devices which are physically integrated into the system chipset might have undocumented direct access to memory or other resources (as well as the documented access via the IOMMU). A guest with such a device is likely to be able to gain control of the host.
Many devices permit (or require) the loading or updating of the firmware on the device. Bad firmware is likely to be able to violate the PCI protocols (depending on the physical circuitry on the device). The impact of such violations is difficult to assess in the abstract.
Malicious firmware might also be able to cause electrical problems for the PCI bus, system power supply, and other circuitry. This could be used to mount fault-injection attacks, or even to cause damage to hardware.
Again, this will depend on the details of the device, but in general defending against bad firmware would require additional electronics. Therefore the Xen Project Security Team expects that devices which support firmware loading are unlikely to be robust against malicious firmware unless that robustness has been specifically engineered.
Since the details are device specific, special workarounds would need to be developed for any such device for which secure pass-through is desired. Developing such workarounds is a task presenting multiple challenges, particularly since the hardware details are often not officially documented, and is beyond the scope of normal security fixes.
Passing through a device providing such mechanisms, which bypass or subvert the software layers that ensure security and correctness, may expose the host to guest induced information leaks, host crashes, and privilege escalation.
Possible information leak, DoS and privilege escalation