On 24/10/2025 1:54 pm, Teddy Astie wrote: > Le 24/10/2025 à 14:14, Xen.org security team a écrit : >> Xen Security Advisory CVE-2025-58149 / XSA-476 >> >> Incorrect removal of permissions on PCI device unplug >> >> ISSUE DESCRIPTION >> ================= >> >> When passing through PCI devices, the detach logic in libxl won't remove >> access permissions to any 64bit memory BARs the device might have. As a >> result a domain can still have access any 64bit memory BAR when such >> device is no longer assigned to the domain. >> > It it exclusive to devices where bar is above 32-bits (which requires > things like Above 4G Decoding / Resizable BAR) or all devices are affected ?
The scanf() only gets the bottom 32 bits of the BAR address, and drops the upper bits. > >> For PV domains the permission leak allows the domain itself to map the memory >> in the page-tables. For HVM it would require a compromised device model or >> stubdomain to map the leaked memory into the HVM domain p2m. >> > Do HVM guests actually needs the device model to perform this ? It's DOMCTL_memory_mapping which modifies the P2M. An HVM guest would need to get the device model to make this hypercall on it's behalf in a non-standard way. > >> IMPACT >> ====== >> >> A buggy or malicious PV guest can access memory of PCI devices no longer >> assigned to it. >> >> VULNERABLE SYSTEMS >> ================== >> >> Xen versions 4.0 and newer are vulnerable. >> >> Only PV guests with PCI passthrough devices can leverage the vulnerability. >> >> Only domains whose PCI devices are managed by the libxl library are affected. >> This includes the xl toolstack and xapi, which uses the xl toolstack when >> dealing with PCI devices. >> > XAPI doesn't appears to have PCI hotplug facilities, so shouldn't be > able to trigger this vulnerability. Unless I missed something. Xapi execs `xl pci-attach/detach`. ~Andrew
