Bug 931625 - (CVE-2015-4103) VUL-0: CVE-2015-4103: xen: Potential unintended writes to host MSI message data field via qemu (XSA-128)
(CVE-2015-4103)
VUL-0: CVE-2015-4103: xen: Potential unintended writes to host MSI message da...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp3:61876 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-20 09:31 UTC by Alexander Bergmann
Modified: 2016-04-27 19:38 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xsa128-qemut.patch (4.65 KB, patch)
2015-05-29 14:17 UTC, Andreas Stieger
Details | Diff
xsa128-qemuu-4.3.patch (4.37 KB, patch)
2015-05-29 14:18 UTC, Andreas Stieger
Details | Diff
xsa128-qemuu.patch (4.39 KB, patch)
2015-05-29 14:18 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2015-05-20 22:00:24 UTC
bugbot adjusting priority
Comment 5 Charles Arnold 2015-05-30 20:13:14 UTC
For submission details see bsc#932770 comment #28.
Comment 6 Andreas Stieger 2015-06-02 14:24:27 UTC
Public via http://xenbits.xen.org/xsa/advisory-128.html

            Xen Security Advisory CVE-2015-4103 / XSA-128
                              version 2

    Potential unintended writes to host MSI message data field via qemu

UPDATES IN VERSION 2
====================

Public release.

CVE assigned.

ISSUE DESCRIPTION
=================

Logic is in place to avoid writes to certain host config space fields
when the guest must nevertheless be able to access their virtual
counterparts.  A bug in how this logic deals with accesses spanning
multiple fields allows the guest to write to the host MSI message data
field.

While generally the writes write back the values previously read,
their value in config space may have got changed by the host between
the qemu read and write.  In such a case host side interrupt handling
could become confused, possibly losing interrupts or allowing spurious
interrupt injection into other guests.

IMPACT
======

Certain untrusted guest administrators may be able to confuse host
side interrupt handling, leading to a Denial of Service.

VULNERABLE SYSTEMS
==================

Xen versions 3.3 and onwards are vulnerable due to supporting PCI
pass-through.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only HVM guests with their device model run in Dom0 can take advantage
of this vulnerability.

Only HVM guests which have been granted access to physical PCI devices
(`PCI passthrough') can take advantage of this vulnerability.

Furthermore, the vulnerability is only applicable when the
passed-through PCI devices are MSI-capable.  (Most modern devices
are.)

MITIGATION
==========

This issue can be avoided by not assigning MSI capable PCI devices to
untrusted HVM guests.

This issue can also be avoided by only using PV guests.

It can also be avoided by configuring HVM guests with their device
model run in a separate (stub) domain.  (When using xl, this can be
requested with "device_model_stubdomain_override=1" in the domain
configuration file.)

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa128-qemuu.patch           qemu-upstream-unstable, Xen 4.5.x, Xen 4.4.x
xsa128-qemuu-4.3.patch       Xen 4.3.x
xsa128-qemut.patch           qemu-xen-unstable, Xen 4.5.x, Xen 4.4.x, Xen 4.3.x, Xen 4.2.x

$ sha256sum xsa128*.patch
68b85a4c7d531d343d7fac2e92dbec3677bc2e4a83de75d78d7f605a2fc8ad3f  xsa128-qemut.patch
2ec657a6f22cac922854548c9d83698656ab7a36634ad05de7f14439cc4405bc  xsa128-qemuu-4.3.patch
104cf2e2816d253cc1eca3084f6ea9b6007f7773a88bda245bab00539e08b359  xsa128-qemuu.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 8 Swamp Workflow Management 2015-06-11 15:05:49 UTC
SUSE-SU-2015:1042-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 906689,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    xen-4.4.2_06-21.1
SUSE Linux Enterprise Server 12 (src):    xen-4.4.2_06-21.1
SUSE Linux Enterprise Desktop 12 (src):    xen-4.4.2_06-21.1
Comment 9 Swamp Workflow Management 2015-06-11 18:05:08 UTC
SUSE-SU-2015:1045-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    xen-4.2.5_08-0.9.1
SUSE Linux Enterprise Server 11 SP3 (src):    xen-4.2.5_08-0.9.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    xen-4.2.5_08-0.9.1
Comment 10 Swamp Workflow Management 2015-06-22 10:09:46 UTC
openSUSE-SU-2015:1092-1: An update that solves 17 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 861318,882089,895528,901488,903680,906689,910254,912011,918995,918998,919098,919464,919663,921842,922705,922706,922709,923758,927967,929339,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2014-3615,CVE-2015-2044,CVE-2015-2045,CVE-2015-2151,CVE-2015-2152,CVE-2015-2751,CVE-2015-2752,CVE-2015-2756,CVE-2015-3209,CVE-2015-3340,CVE-2015-3456,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.2 (src):    xen-4.4.2_06-23.1
Comment 11 Swamp Workflow Management 2015-06-22 12:05:11 UTC
openSUSE-SU-2015:1094-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 922709,931625,931626,931627,931628,932770,932790,932996
CVE References: CVE-2015-2751,CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
openSUSE 13.1 (src):    xen-4.3.4_05-47.1
Comment 12 Swamp Workflow Management 2015-06-29 12:05:31 UTC
SUSE-SU-2015:1156-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 931625,931626,931627,931628,932770,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    xen-4.0.3_21548_18-0.25.1
Comment 13 Swamp Workflow Management 2015-06-29 13:05:27 UTC
SUSE-SU-2015:1157-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 931625,931626,931627,931628,932770,932996
CVE References: CVE-2015-3209,CVE-2015-4103,CVE-2015-4104,CVE-2015-4105,CVE-2015-4106,CVE-2015-4163,CVE-2015-4164
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    xen-4.1.6_08-0.13.1
Comment 14 Andreas Stieger 2015-10-15 14:09:01 UTC
all fixed as I can see