ASA-2019-00627 – Xen: Passed through PCI devices may corrupt host memory after deassignment


Allele Security Alert

ASA-2019-00627

Identifier(s)

ASA-2019-00627, CVE-2019-18424, XSA-302

Title

Passed through PCI devices may corrupt host memory after deassignment

Vendor(s)

The Xen Project

Product(s)

Xen

Affected version(s)

All Xen versions where guests are given direct access to physical devices capable of DMA (PCI pass-through)

Fixed version(s)

Xen 4.8.x and 4.9.x with the following patches applied:

[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.9/0001-IOMMU-add-missing-HVM-check.patch

[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.9/0002-passthrough-quarantine-PCI-devices.patch

Xen 4.10.x with the following patches applied:

[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.10/0001-IOMMU-add-missing-HVM-check.patch

[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.10/0002-passthrough-quarantine-PCI-devices.patch

Xen 4.11.x with the following patches applied:

[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.11/0001-IOMMU-add-missing-HVM-check.patch

[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.11/0002-passthrough-quarantine-PCI-devices.patch

Xen 4.12.x with the following patches applied:

[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.12/0001-IOMMU-add-missing-HVM-check.patch

[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.12/0002-passthrough-quarantine-PCI-devices.patch

Xen unstable with the following patch applied:

[PATCH] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302/0001-passthrough-quarantine-PCI-devices.patch

The patches are known to break on ARM. ARM is not affected by the issue, so do not apply these patches on ARM systems. For Xen 4.9 and earlier at least the first patch of XSA-299 (whitespace cleanup) is also needed for XSA-302 to apply.

Proof of concept

Unknown

Description

An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation.

Technical details

When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data.

Credits

Paul Durrant (Citrix)

Reference(s)

XSA-302 – Xen Security Advisories
https://xenbits.xen.org/xsa/advisory-302.html

oss-security – Xen Security Advisory 302 v5 (CVE-2019-18424) – passed through PCI devices may corrupt host memory after deassignment
https://www.openwall.com/lists/oss-security/2019/10/31/6

[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.9/0001-IOMMU-add-missing-HVM-check.patch

[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.9/0002-passthrough-quarantine-PCI-devices.patch

[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.10/0001-IOMMU-add-missing-HVM-check.patch

[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.10/0002-passthrough-quarantine-PCI-devices.patch

[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.11/0001-IOMMU-add-missing-HVM-check.patch

[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.11/0002-passthrough-quarantine-PCI-devices.patch

[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.12/0001-IOMMU-add-missing-HVM-check.patch

[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.12/0002-passthrough-quarantine-PCI-devices.patch

[PATCH] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302/0001-passthrough-quarantine-PCI-devices.patch

CVE-2019-18424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424

CVE-2019-18424
https://nvd.nist.gov/vuln/detail/CVE-2019-18424

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 7, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.