Bug 922706 (CVE-2015-2756)

Summary: VUL-0: CVE-2015-2756: xen: XSA-126: Unmediated PCI command register access in qemu
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, carnold, jbeulich, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:60766:moderate maint:released:sle11-sp1:61377
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: xsa126-qemut-incr.patch
xsa126-qemut.patch
xsa126-qemuu-4.3-incr.patch
xsa126-qemuu-4.3.patch
xsa126-qemuu-incr.patch
xsa126-qemuu.patch

Comment 4 Andreas Stieger 2015-03-17 16:46:56 UTC
Checked versions:
SLE 10 SP3: 3.2.3 not affected.
SLE 11 SP1: 4.0.3 affected.
SLE 11 SP3: 4.2.5 affected.
SLE 12 GA:  4.4.1 affected.
Comment 5 Swamp Workflow Management 2015-03-17 23:00:51 UTC
bugbot adjusting priority
Comment 6 Marcus Meissner 2015-03-27 16:54:46 UTC
Created attachment 629020 [details]
xsa126-qemut-incr.patch

xsa126-qemut-incr.patch attach fresh
Comment 7 Marcus Meissner 2015-03-27 16:55:22 UTC
Created attachment 629021 [details]
xsa126-qemut.patch

xsa126-qemut.patch atached
Comment 8 Marcus Meissner 2015-03-27 16:55:43 UTC
Created attachment 629022 [details]
xsa126-qemuu-4.3-incr.patch

xsa126-qemuu-4.3-incr.patch
Comment 9 Marcus Meissner 2015-03-27 16:56:14 UTC
Created attachment 629023 [details]
xsa126-qemuu-4.3.patch

nmew xsa126-qemuu-4.3.patch
Comment 10 Marcus Meissner 2015-03-27 16:56:39 UTC
Created attachment 629024 [details]
xsa126-qemuu-incr.patch

xsa126-qemuu-incr.patch
Comment 11 Marcus Meissner 2015-03-27 16:57:03 UTC
Created attachment 629025 [details]
xsa126-qemuu.patch

xsa126-qemuu.patch
Comment 12 Marcus Meissner 2015-03-27 16:58:46 UTC
please check if resubmits are needed, for all arches :/
Comment 13 Andreas Stieger 2015-03-27 17:02:59 UTC
V2 of the announcement updates:

ISSUE DESCRIPTION
=================

HVM guests are currently permitted to modify the memory and I/O decode
bits in the PCI command register of devices passed through to them.
Unless the device is an SR-IOV virtual function, after disabling one or
both of these bits subsequent accesses to the MMIO or I/O port ranges
would - on PCI Express devices - lead to Unsupported Request responses.
The treatment of such errors is platform specific.

Furthermore (at least) devices under control of the Linux pciback
driver in the host are handed to guests with the aforementioned bits
turned off.  This means that such accesses can similarly lead to
Unsupported 



Notes on the patches to avoid confusion:


xsa126-qemuu.patch           qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
xsa126-qemuu-4.3.patch       qemu-upstream-unstable, Xen 4.3.x
xsa126-qemut.patch           qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

For those already having the original patch in place, applying the
appropriate attached incremental patch addresses the regression.

xsa126-qemuu-incr.patch      qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
xsa126-qemuu-4.3-incr.patch  qemu-upstream-unstable, Xen 4.3.x
xsa126-qemut-incr.patch      qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa126*.patch
bd69a0d18127793a9aa2097062ecaef76df6e6b8f729406d7d52cf66519e3b0d  xsa126-qemut-incr.patch
2a9b8f73b2a4f0cfb6b724c9a0a72dbf08cae87cd382f61f563218c32d1036a7  xsa126-qemut.patch
658bc483d1110e4e04de2d70fba1cdb20c5cecdc2f419db2d82bddc3ae1690b6  xsa126-qemuu-4.3-incr.patch
090d9262a9e9d24f0f4eca35cb0d56831d5cec6a6ba38b4c7e276d767de660c1  xsa126-qemuu-4.3.patch
3f7b6737c08ff7e119bec16c8c3b3cb832429f1410e687edf622fab57a22842e  xsa126-qemuu-incr.patch
eb5b93600267639b2cda1c5e2f937ddbecbf6c8cbd19dbb355224c39c2e40d3e  xsa126-qemuu.patch
Comment 14 Marcus Meissner 2015-03-31 12:12:38 UTC
public now
Comment 15 Marcus Meissner 2015-03-31 12:14:59 UTC
Hash: SHA1

            Xen Security Advisory CVE-2015-2756 / XSA-126
                              version 3

             Unmediated PCI command register access in qemu

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

HVM guests are currently permitted to modify the memory and I/O decode
bits in the PCI command register of devices passed through to them.
Unless the device is an SR-IOV virtual function, after disabling one or
both of these bits subsequent accesses to the MMIO or I/O port ranges
would - on PCI Express devices - lead to Unsupported Request responses.
The treatment of such errors is platform specific.

Furthermore (at least) devices under control of the Linux pciback
driver in the host are handed to guests with the aforementioned bits
turned off.  This means that such accesses can similarly lead to
Unsupported Request responses until these flags are set as needed by
the guest.

IMPACT
======

In the event that the platform surfaces aforementioned UR responses as
Non-Maskable Interrupts, and either the OS is configured to treat NMIs
as fatal or (e.g. via ACPI's APEI) the platform tells the OS to treat
these errors as fatal, the host would crash, leading to a Denial of
Service.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only HVM guests with their device model run in Dom0 can take advantage
of this vulnerability.

Any domain which is given access to a non-SR-IOV virtual function PCI
Express device can take advantage of this vulnerability.

MITIGATION
==========

This issue can be avoided by not assigning PCI Express devices other
than SR-IOV virtual functions to untrusted HVM guests.  This issue can
also be avoided by only using PV guests or HVM guests with their
device model run in a separate (stub) domain.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa126-qemuu.patch           qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
xsa126-qemuu-4.3.patch       qemu-upstream-unstable, Xen 4.3.x
xsa126-qemut.patch           qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

For those already having the original patch in place, applying the
appropriate attached incremental patch addresses the regression.
Comment 16 Charles Arnold 2015-04-01 16:31:39 UTC
Submitted.
SLE-12: MR#53894
SLE-11-SP3: SR#53976
SLE-11-SP2: SR#53978
SLE-11-SP1: SR#53980
SLE-11-SP1:Teradata: SR#53982
Comment 17 Swamp Workflow Management 2015-04-10 09:05:28 UTC
SUSE-SU-2015:0701-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 921842,922705,922706,922709,923758
CVE References: CVE-2015-2751,CVE-2015-2752,CVE-2015-2756
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.2_02-15.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.2_02-15.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.2_02-15.1
Comment 18 Swamp Workflow Management 2015-04-20 14:07:12 UTC
openSUSE-SU-2015:0732-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 861318,895528,901488,903680,910254,918995,918998,919098,919464,919663,922705,922706
CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2752,CVE-2015-2756
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_02-41.1
Comment 19 Swamp Workflow Management 2015-04-21 18:06:41 UTC
SUSE-SU-2015:0745-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 918995,918998,919464,922705,922706
CVE References: CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2756
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.15.1
Comment 20 Swamp Workflow Management 2015-04-21 18:08:02 UTC
SUSE-SU-2015:0746-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 907755,918995,918998,919464,922705,922706
CVE References: CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2756
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.9.1
Comment 21 Swamp Workflow Management 2015-04-21 18:09:16 UTC
SUSE-SU-2015:0747-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 918995,918998,919341,919464,922705,922706
CVE References: CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2756
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.5_04-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.5_04-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.5_04-0.9.1
Comment 22 Marcus Meissner 2015-06-22 09:44:37 UTC
rekleased
Comment 23 Swamp Workflow Management 2015-06-22 10:08:45 UTC
openSUSE-SU-2015:1092-1: An update that solves 17 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 861318,882089,895528,901488,903680,906689,910254,912011,918995,918998,919098,919464,919663,921842,922705,922706,922709,923758,927967,929339,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2751,CVE-2015-2752,CVE-2015-2756,CVE-2015-3209,CVE-2015-3340,CVE-2015-3456,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.2 (src):    xen-4.4.2_06-23.1