Xen Security Advisory 461 v2 (CVE-2024-31146) - PCI device pass-through with shared resources

Xen.org security team posted 1 patch 3 months, 1 week ago
Failed in applying to current master (apply log)
Xen Security Advisory 461 v2 (CVE-2024-31146) - PCI device pass-through with shared resources
Posted by Xen.org security team 3 months, 1 week ago
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2024-31146 / XSA-461
                               version 2

             PCI device pass-through with shared resources

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

When multiple devices share resources and one of them is to be passed
through to a guest, security of the entire system and of respective
guests individually cannot really be guaranteed without knowing
internals of any of the involved guests.  Therefore such a configuration
cannot really be security-supported, yet making that explicit was so far
missing.

Resources the sharing of which is known to be problematic include, but
are not limited to
- - PCI Base Address Registers (BARs) of multiple devices mapping to the
  same page (4k on x86),
- - INTx lines.

IMPACT
======

The precise effects when shared resources are in use are system, device,
guest, and resource specific.  None of privilege escalation, information
leaks, or Denial of Service (DoS) can be ruled out.

VULNERABLE SYSTEMS
==================

All systems making use of PCI pass-through are in principle vulnerable,
when any kind of resource is shared.  Just to re-iterate, even in the
absence of resource sharing caveats apply to passing through of PCI
devices to entirely untrusted guests.

MITIGATION
==========

Passing through only SR-IOV virtual functions or devices with well-
separated resources will avoid this particular vulnerability.  Passing
through all devices sharing a given resource to the same guest will also
avoid this particular vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch documents this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa461.patch           xen-unstable - Xen 4.16.x

$ sha256sum xsa461*
2415504496508ad87c306aa7257e836d7c2f0bd8849656de5b586f0ab93fd17f  xsa461.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because changing the nature of devices being passed through is
very likely noticeable by the guest.

Deployment is permitted only AFTER the embargo ends.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAma8sCkMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZLDkH/i6esACkik7iglEESFgCj0x6fc3KdpVzsCPznmsn
uWZzBO9xuggoPOONJ70Or7tsIdaYDAkealZrBGreXlPEgd0MOtozLYrvB2IIqJEj
cKyC4Y04VpBkynaOiLraFvUs0xyC0cew1NZdE/cxr9ewRvvrHVcyBI5GBAMKworh
g4hjIDOR9ohhvxN2P7Yz59OY+Ojo57t+IlpvPPm+c53bARYR6H/cxyUDLYVlfrk2
iNPif7Wpi1PU/Sjz5XqBF5mXW+LLsLnbyw8Iyhnjqv1zC/tUdzl1INUBd24eHSjP
aXnrlExoGAuvUcf/6YVfU0u2dB7iISGYAs2ESeYuxpJnZ8E=
=LkWz
-----END PGP SIGNATURE-----
From: Jan Beulich <jbeulich@suse.com>
Subject: x86/pass-through: documents as security-unsupported when sharing resources

When multiple devices share resources and one of them is to be passed
through to a guest, security of the entire system and of respective
guests individually cannot really be guaranteed without knowing
internals of any of the involved guests.  Therefore such a configuration
cannot really be security-supported, yet making that explicit was so far
missing.

This is XSA-461 / CVE-2024-31146.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
---
TBD: Of course the system bus(es) is a / are shared resource(s), too.
     I'm afraid I don't know the low level details of PCI to be able to
     tell whether there are any fairness guarantees there.

--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -841,6 +841,11 @@ This feature is not security supported:
 
 Only systems using IOMMUs are supported.
 
+Passing through of devices sharing resources with another device is not
+security supported.  Such sharing could e.g. be the same line interrupt being
+used by multiple devices, one of which is to be passed through, or two such
+devices having memory BARs within the same 4k page.
+
 Not compatible with migration, populate-on-demand, altp2m,
 introspection, memory sharing, or memory paging.