error handling in x86 IOMMU identity mapping

ISSUE DESCRIPTION

Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, “RMRR”) for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation.
Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren’t supposed to have access to.

IMPACT

The precise impact is system specific. Denial of Service (DoS) affecting the entire host or individual guests, privilege escalation, and information leaks cannot be ruled out.

VULNERABLE SYSTEMS

Only x86 systems passing PCI devices with RMRR/Unity regions through to guests are potentially affected.
PCI devices listed in a vm.cfg file have error handling which causes xl create to abort and tear down the domain, and is thus believed to be safe.
PCI devices attached using xl pci-attach will result in the command returning nonzero, but will not tear down the domain. VMs which continue to run after xl pci-attach has failed expose the vulnerability.
For x86 Intel hardware, Xen versions 4.0 and later are affected.
For all x86 hardware, Xen versions having the XSA-378 fixes applied / backported are affected.