Xen.org security team
2018-11-20 13:26:23 UTC
insufficient TLB flushing / improper large page mappings with AMD IOMMUs
UPDATES IN VERSION 2
In order to be certain that no undue access to memory is possible
anymore after IOMMU mappings of this memory have been removed,
Translation Lookaside Buffers (TLBs) need to be flushed after most
changes to such mappings. Xen bypassed certain IOMMU flushes on AMD
Furthermore logic exists Xen to re-combine small page mappings
into larger ones. Such re-combination could have occured in cases
when it was not really safe/correct to do so.
A malicious or buggy guest may be able to escalate its privileges, may
cause a Denial of Service (DoS) affecting the entire host, or may be
able to access data it is not supposed to access (information leak).
Xen versions from at least 3.2 onwards are affected. Note that the
situation is worse in 4.1 and earlier, in that there's no flushing of
the TLB at all.
Only systems with AMD x86 hardware with enabled IOMMU are affected.
ARM and Intel x86 systems, and AMD x86 systems without enabled IOMMU,
are not affected.
Only systems where physical PCI devices are assigned to untrusted guests
There is no known mitigation for affected system/guest combinations.
This issue was discovered by Paul Durrant of Citrix.
Applying the appropriate set of attached patches resolves this issue.
xsa275-4.11-?.patch Xen 4.11.x ... Xen 4.8.x
xsa275-4.7-?.patch Xen 4.7.x
$ sha256sum xsa275*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy: