From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: xen-devel@lists.xen.org,
"Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>
Subject: Re: Xen Security Advisory 360 v1 - IRQ vector leak on x86
Date: Thu, 21 Jan 2021 16:05:38 +0100 [thread overview]
Message-ID: <20210121150538.rliqx26wj2bvteuu@Air-de-Roger> (raw)
In-Reply-To: <2d073bc8-418e-2b8d-9ff7-76b932f829b1@suse.com>
On Thu, Jan 21, 2021 at 03:50:55PM +0100, Jan Beulich wrote:
> On 21.01.2021 15:34, Roger Pau Monné wrote:
> > On Thu, Jan 21, 2021 at 03:20:12PM +0100, Marek Marczykowski-Górecki wrote:
> >> On Thu, Jan 21, 2021 at 02:10:48PM +0000, Xen.org security team wrote:
> >>> Xen Security Advisory XSA-360
> >>>
> >>> IRQ vector leak on x86
> >>>
> >>> ISSUE DESCRIPTION
> >>> =================
> >>>
> >>> A x86 HVM guest with PCI pass through devices can force the allocation
> >>> of all IDT vectors on the system by rebooting itself with MSI or MSI-X
> >>> capabilities enabled and entries setup.
> >>
> >> (...)
> >>
> >>> MITIGATION
> >>> ==========
> >>>
> >>> Not running HVM guests with PCI pass through devices will avoid the
> >>> vulnerability. Note that even non-malicious guests can trigger this
> >>> vulnerability as part of normal operation.
> >>
> >> Does the 'on_reboot="destroy"' mitigate the issue too? Or on_soft_reset?
> >
> > Kind of. Note you will still leak the in use vectors when the guest is
> > destroyed, but that would prevent the guest from entering a reboot
> > loop and exhausting all vectors on the system unless the admin starts
> > it again.
> >
> > In that case I think the premise of a guest 'rebooting itself' doesn't
> > apply anymore, since the guest won't be able to perform such
> > operation.
>
> And how exactly would an admin tell a guest from rebooting for
> fair reasons from one rebooting for malicious reasons? To me,
> setting 'on_reboot="destroy"' would imply there's then some
> other mechanism to restart the guest (possibly with some delay),
> or else a reboot attempt by this guest would effectively be a
> DoS to its users.
Well, I would expect there are deployments or configurations that
simply don't expect (some) domains to reboot themselves. Ie: for
example you won't expect driver domains to restart themselves I think,
and hence you could safely use on_reboot="destroy" in that case to
mitigate a compromised driver domain from exploiting this
vulnerability.
Roger.
next prev parent reply other threads:[~2021-01-21 15:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-21 14:10 Xen Security Advisory 360 v1 - IRQ vector leak on x86 Xen.org security team
2021-01-21 14:20 ` Marek Marczykowski-Górecki
2021-01-21 14:31 ` Jan Beulich
2021-01-21 14:34 ` Roger Pau Monné
2021-01-21 14:50 ` Jan Beulich
2021-01-21 15:05 ` Roger Pau Monné [this message]
2021-01-21 15:09 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210121150538.rliqx26wj2bvteuu@Air-de-Roger \
--to=roger.pau@citrix.com \
--cc=jbeulich@suse.com \
--cc=marmarek@invisiblethingslab.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).