oss-sec mailing list archives

Re: Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through

From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Thu, 27 Feb 2025 21:42:15 -0500

On Thu, Feb 27, 2025 at 03:33:18PM +0000, Teddy Astie wrote:

Hello,

Le 27/02/2025 à 13:57, Xen.org security team a écrit :

             Xen Security Advisory CVE-2025-1713 / XSA-467

     deadlock potential with VT-d and legacy PCI device pass-through

ISSUE DESCRIPTION
=================

When setting up interrupt remapping for legacy PCI(-X) devices,
including PCI(-X) bridges, a lookup of the upstream bridge is required.
This lookup, itself involving acquiring of a lock, is done in a context
where acquiring that lock is unsafe.  This can lead to a deadlock.

IMPACT
======

The passing through of certain kinds of devices to an unprivileged guest
can result in a Denial of Service (DoS) affecting the entire host.

Note: Normal usage of such devices by a privileged domain can also
       trigger the issue.  In such a scenario, the deadlock is not
       considered a security issue, but just a plain bug.

VULNERABLE SYSTEMS
==================

Xen versions 4.0 and later are affected.  Xen versions 3.4 and earlier
are not directly affected, but had other issues.

Systems with Intel IOMMU hardware (VT-d) are affected.  Systems using
AMD or non-x86 hardware are not affected.

Only systems where certain kinds of devices are passed through to an
unprivileged guest are vulnerable.

MITIGATION
==========

Avoiding the passing through of the affected device types will avoid
the vulnerability.


Is disabling interrupt remapping another way of mitigating this
vulnerability (e.g iommu=no-intremap) ?


No, as this allows other attacks that allow denial of service at the
very least.  See
https://lore.kernel.org/xen-devel/19915.58644.191837.671729 () mariner uk xensource com/.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description:

Current thread:

Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Xen . org security team (Feb 27)
- Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Teddy Astie (Feb 27)
  - Re: Re: Xen Security Advisory 467 v1 (CVE-2025-1713) - deadlock potential with VT-d and legacy PCI device pass-through Demi Marie Obenour (Feb 27)