Bug 851386 - (CVE-2013-6375) VUL-0: CVE-2013-6375: xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) code
(CVE-2013-6375)
VUL-0: CVE-2013-6375: xen: XSA-78: Insufficient TLB flushing in VT-d (iommu) ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:running:55163:moderate maint:r...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-20 17:12 UTC by Marcus Meissner
Modified: 2013-12-19 21:06 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa78.patch (872 bytes, patch)
2013-11-20 17:12 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-11-20 17:12:14 UTC
is public, via oss-sec

                    Xen Security Advisory XSA-78

           Insufficient TLB flushing in VT-d (iommu) code

ISSUE DESCRIPTION
=================

An inverted boolean parameter resulted in TLB flushes not happening
upon clearing of a present translation table entry.  Retaining stale
TLB entries could allow guests access to memory that ought to have
been revoked, or grant greater access than intended.

IMPACT
======

Malicious guest administrators might be able to cause host-wide denial
of service, or escalate their privilege to that of the host.

VULNERABLE SYSTEMS
==================

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

Only systems using Intel VT-d for PCI passthrough are vulnerable.

MITIGATION
==========

This issue can be avoided by not assigning PCI devices to untrusted guests on
systems supporting Intel VT-d.

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was disclosed publicly on the xen-devel mailing list.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa78.patch        Xen 4.2.x, Xen 4.3.x, xen-unstable

$ sha256sum xsa78*.patch
2b858188495542b393532dfeb108ae95cbb507a008b5ebf430b96c95272f9e0e  xsa78.patch
$
Comment 1 Marcus Meissner 2013-11-20 17:12:48 UTC
Created attachment 568294 [details]
xsa78.patch

xsa78.patch
Comment 2 Swamp Workflow Management 2013-11-20 23:00:16 UTC
bugbot adjusting priority
Comment 3 Charles Arnold 2013-11-25 21:13:13 UTC
Xen is submitted for SLE11-SP3 SR#: 29549
Comment 5 Swamp Workflow Management 2013-12-16 10:05:30 UTC
openSUSE-SU-2013:1876-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 845520,848657,849665,849667,849668,851386,851749
CVE References: CVE-2013-4416,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554
Sources used:
openSUSE 13.1 (src):    xen-4.3.1_02-4.4
Comment 6 Marcus Meissner 2013-12-19 15:43:51 UTC
done
Comment 7 Swamp Workflow Management 2013-12-19 17:48:56 UTC
Update released for: xen, xen-debuginfo, xen-debugsource, xen-devel, xen-doc-html, xen-doc-pdf, xen-kmp-debug, xen-kmp-default, xen-kmp-pae, xen-kmp-trace, xen-kmp-vmi, xen-libs, xen-libs-32bit, xen-tools, xen-tools-domU
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, x86_64)
Comment 8 Swamp Workflow Management 2013-12-19 21:06:23 UTC
SUSE-SU-2013:1923-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 833483,840997,842417,846849,848014,848657,849665,849667,849668,851386
CVE References: CVE-2013-1922,CVE-2013-2007,CVE-2013-4375,CVE-2013-4416,CVE-2013-4494,CVE-2013-4551,CVE-2013-4553,CVE-2013-4554
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.3_08-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.3_08-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.3_08-0.7.1