XSA-3

CVE-2011-1898


问题描述

xsa3

VT-d (PCI passthrough) MSI trap injection

Intel VT-d chipsets without interrupt remapping do not prevent a guest which owns a PCI device from using DMA to generate MSI interrupts by writing to the interrupt injection registers. This can be exploited to inject traps and gain control of the host.

privilege uncheck (invalid MSI source)


Patch描述

http://xenbits.xen.org/hg/xen-4.1-testing.hg/rev/ed630a821de1

x86, vtd: [CVE-2011-1898] Protect against malicious MSIs from untrusted devices.

In the absence of VT-d interrupt remapping support, a device can send arbitrary APIC messages to host CPUs. One class of attack that results is to confuse the hypervisor by delivering asynchronous interrupts to vectors that are expected to handle only synchronous traps/exceptions.

We block this class of attack by:


Consequence

A malicious guest administrator on a vulnerable system is able to crash the host.

DoS