This can occur during domain reconfigurations, and can be mitigated by extra diligence in domain setup, as well as keeping the domain ID mapping between physical devices consistent. Whether or not it is possible to cause a Xen domain to leak domain IDs however, is irrelevant. The danger is that for a long enough period of time, domain IDs will start to accumulate within a domain, potentially filling up the domain ID range of a given physical device. This can be a problem as VT-d relies on domain IDs to associate a virtual machine with a particular physical device. The race in the Xen domain ID mapping can be exploited to leak domain IDs and cause a domain to flush housekeeping data, causing a delayed flushing of data to the hypervisor to cause a crash.
Verify domain ID Mapping
There are two ways to mitigate this issue, the first is by verifying that domain IDs for your domains map. The second way is to mitigate the issue of too many domain IDs being allocated on a given physical device, which can be done by ensuring you only allocate enough domains per physical device to avoid race conditions.
Xen Dom0 Booting with a Domain ID Leak
A new vulnerability, CVE-2022-26357, was discovered which can cause a domain to flush housekeeping data during domain reconfigurations. This can be exploited to leak domain IDs and cause a domain to flush housekeeping data, causing a delayed flushing of data to the hypervisor to cause a crash.
CVE-2023-26358
This can occur during domain reconfigurations, and can be mitigated by extra diligence in domain setup, as well as keeping the domain ID mapping between physical devices consistent. Whether or not it is possible to cause a Xen domain to leak domain IDs however, is irrelevant. The danger is that for a long enough period of time, domain IDs will start to accumulate within a domain, potentially filling up the domain ID range of a given physical device. This can be a problem as VT-d relies on domain IDs to associate a virtual machine with a particular physical device. The race in the Xen domain ID mapping can be exploited to leak domain IDs and cause a privileged VCPU to flush housekeeping data, causing a delayed flushing of data to the hypervisor to cause a crash.
Xen Dom0 hangs after a domain wipe
All software running on the Xen hypervisor may be suspectible to this type of race condition. However, because a crash can only occur if a domain ID is leaked and there is enough memory, it will most likely take place during boot when domains are created or destroyed.
The above example was run on the QEMU emulator, which uses e1000 drivers, but similar effects can occur in real hardware as well.
Timeline
Published on: 04/05/2022 13:15:00 UTC
Last modified on: 07/01/2022 17:36:00 UTC
References
- https://xenbits.xenproject.org/xsa/advisory-399.txt
- http://xenbits.xen.org/xsa/advisory-399.html
- http://www.openwall.com/lists/oss-security/2022/04/05/2
- https://www.debian.org/security/2022/dsa-5117
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26357