Allele Security Alert
ASA-2019-00627
Identifier(s)
ASA-2019-00627, CVE-2019-18424, XSA-302
Title
Passed through PCI devices may corrupt host memory after deassignment
Vendor(s)
The Xen Project
Product(s)
Xen
Affected version(s)
All Xen versions where guests are given direct access to physical devices capable of DMA (PCI pass-through)
Fixed version(s)
Xen 4.8.x and 4.9.x with the following patches applied:
[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.9/0001-IOMMU-add-missing-HVM-check.patch
[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.9/0002-passthrough-quarantine-PCI-devices.patch
Xen 4.10.x with the following patches applied:
[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.10/0001-IOMMU-add-missing-HVM-check.patch
[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.10/0002-passthrough-quarantine-PCI-devices.patch
Xen 4.11.x with the following patches applied:
[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.11/0001-IOMMU-add-missing-HVM-check.patch
[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.11/0002-passthrough-quarantine-PCI-devices.patch
Xen 4.12.x with the following patches applied:
[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.12/0001-IOMMU-add-missing-HVM-check.patch
[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.12/0002-passthrough-quarantine-PCI-devices.patch
Xen unstable with the following patch applied:
[PATCH] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302/0001-passthrough-quarantine-PCI-devices.patch
The patches are known to break on ARM. ARM is not affected by the issue, so do not apply these patches on ARM systems. For Xen 4.9 and earlier at least the first patch of XSA-299 (whitespace cleanup) is also needed for XSA-302 to apply.
Proof of concept
Unknown
Description
An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation.
Technical details
When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data.
Credits
Paul Durrant (Citrix)
Reference(s)
XSA-302 – Xen Security Advisories
https://xenbits.xen.org/xsa/advisory-302.html
oss-security – Xen Security Advisory 302 v5 (CVE-2019-18424) – passed through PCI devices may corrupt host memory after deassignment
https://www.openwall.com/lists/oss-security/2019/10/31/6
[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.9/0001-IOMMU-add-missing-HVM-check.patch
[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.9/0002-passthrough-quarantine-PCI-devices.patch
[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.10/0001-IOMMU-add-missing-HVM-check.patch
[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.10/0002-passthrough-quarantine-PCI-devices.patch
[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.11/0001-IOMMU-add-missing-HVM-check.patch
[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.11/0002-passthrough-quarantine-PCI-devices.patch
[PATCH 1/2] IOMMU: add missing HVM check
https://xenbits.xen.org/xsa/xsa302-4.12/0001-IOMMU-add-missing-HVM-check.patch
[PATCH 2/2] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302-4.12/0002-passthrough-quarantine-PCI-devices.patch
[PATCH] passthrough: quarantine PCI devices
https://xenbits.xen.org/xsa/xsa302/0001-passthrough-quarantine-PCI-devices.patch
CVE-2019-18424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18424
CVE-2019-18424
https://nvd.nist.gov/vuln/detail/CVE-2019-18424
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 7, 2019