VT-d interrupt remapping source validation flaw
When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices.
In a typical Xen system many devices are owned by domain 0 or driver domains, leaving them vulnerable to such an attack. Such a DoS is likely to have an impact on other guests running in the system.
lack of check (invalid interrupt source)
VT-d: fix interrupt remapping source validation for devices behind legacy bridges
--- a/xen/drivers/passthrough/vtd/intremap.c +++ b/xen/drivers/passthrough/vtd/intremap.c @@ -499,7 +499,7 @@ static void set_msi_source_id(struct pci_dev *pdev, struct iremap_entry *ire) set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, (bus << 8) | pdev->bus); else if ( pdev_type(bus, devfn) == DEV_TYPE_LEGACY_PCI_BRIDGE ) - set_ire_sid(ire, SVT_VERIFY_BUS, SQ_ALL_16, + set_ire_sid(ire, SVT_VERIFY_SID_SQ, SQ_ALL_16, PCI_BDF2(bus, devfn)); } break;
A malicious domain, given access to a device which is behind a legacy PCI bridge, can mount a denial of service attack affecting the whole system.