/
qsb-095-2023.txt
81 lines (57 loc) · 2.31 KB
/
qsb-095-2023.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
---===[ Qubes Security Bulletin 095 ]===---
2023-10-10
Missing IOMMU TLB flushing on x86 AMD systems
User action
------------
Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is required in
response to this QSB.
Summary
--------
On 2023-10-10, the Xen Project published XSA-442, "x86/AMD: missing
IOMMU TLB flushing" [3]:
| The caching invalidation guidelines from the AMD-Vi specification (48882—Rev
| 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction
| (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU
| TLB is not flushed.
|
| Such stale DMA mappings can point to memory ranges not owned by the guest,
| thus allowing access to unindented memory regions.
Impact
-------
On affected systems, an attacker who compromises a qube with access to a PCI
device could attempt to exploit this vulnerability in order to escalate the
attacker's privileges, perform a denial-of-service (DoS) attack against the
host, and leak information. In the default Qubes OS configuration, the qubes
that have access to PCI devices are sys-net and sys-usb.
Affected systems
-----------------
Only x86 AMD systems are vulnerable.
Patching
---------
The following packages contain security updates that address the
vulnerabilities described in this bulletin:
For Qubes 4.1, in dom0:
- Xen packages, version 4.14.6-3
For Qubes 4.2, in dom0:
- Xen packages, version 4.17.2-3
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-442.html
--
The Qubes Security Team
https://www.qubes-os.org/security/