PCI passthrough regression caused by the fix for CVE-2011-1898

Updated -

Issue

The fix for CVE-2011-1898 introduced a regression in the way PCI passthrough works. Depending on how virtualization guests are configured to use PCI passthrough devices, this regression can prevent those guests from starting.

PCI passthrough[1] allows virtualized guests to directly access various hardware devices and components (it allows you to assign a PCI device to a guest). CVE-2011-1898 describes a flaw that allows a privileged guest user in a KVM (Kernel-based Virtual Machine) or Xen hypervisor guest to crash the host or escalate their privileges on the host, when the host was using PCI passthrough without interrupt remapping support.

The CVE-2011-1898 flaw affected the Xen hypervisor on Red Hat Enterprise Linux 5 hosts (refer to the Note below about KVM on Red Hat Enterprise Linux 5), and the KVM hypervisor on Red Hat Enterprise Linux 6 hosts (there is no Xen hypervisor in Red Hat Enterprise Linux 6). The flaw was fixed by the RHSA-2011:1479, RHSA-2011:1189, and RHSA-2012:0358 updates for Red Hat Enterprise Linux 5 and 6, and Red Hat Enterprise Linux 5.6 Extended Update Support, respectively; however, the updates introduced a regression.

After installing RHSA-2011:1479, RHSA-2011:1189, or RHSA-2012:0358, it will not be possible to use PCI passthrough without interrupt remapping. Device assignment will fail with a 'Failed to assign device "[device name]" : Operation not permitted' error for users of KVM, and an 'Interrupt Remapping hardware not found, passing devices to unprivileged domains is insecure. If you really want to do this, please boot with "iommu=no-intremap"' error for Xen hypervisor users.

Depending on how guests are configured to use PCI passthrough devices, this regression can prevent those guests from starting.

Note: The KVM version in Red Hat Enterprise Linux 5 does not have interrupt remapping support. Red Hat cannot backport this support as it is too invasive and has a high risk of introducing severe regressions at this point in the Red Hat Enterprise Linux 5 life-cycle. As such, Red Hat recommends that users of KVM on Red Hat Enterprise Linux 5 only use PCI passthrough with trusted guests.

Environment Summary

If your hardware does not support interrupt remapping, and the RHSA-2011:1479, RHSA-2011:1189, or RHSA-2012:0358 update has been installed, the regression affects:

  • Users of KVM on Red Hat Enterprise Linux 6 hosts.
  • Users of fully-virtualized Xen hypervisor guests on Red Hat Enterprise Linux 5 hosts.

For para-virtualized Xen hypervisor guests, PCI passthrough is always allowed and is therefore vulnerable to CVE-2011-1898. Red Hat recommends PCI passthrough only be used with trusted para-virtualized Xen hypervisor guests.

Environment: KVM running on Red Hat Enterprise Linux 6

For users of KVM on Red Hat Enterprise Linux 6 hosts, the regression after installing RHSA-2011:1189 affects:

  • All systems using an AMD processor and chipset that have AMD I/O Virtualization (AMD-Vi) support. Such hardware has interrupt remapping support; however, the software support is not yet available upstream.
  • All systems using an Intel processor and chipset that have support for Intel Virtualization Technology for Directed I/O (VT-d), but do not have support for interrupt remapping. Interrupt remapping support is provided in newer processors and chipsets.

To identify if your system has support for interrupt remapping:

  1. Run the dmesg | grep ecap command.
  2. On the IOMMU lines, the hexadecimal value after "ecap" indicates whether interrupt remapping is supported. If the last character of this value is an 8, 9, a, b, c, d, e, or an f, interrupt remapping is supported. For example, "ecap 1000" indicates there is no interrupt remapping support. "ecap 10207f" indicates interrupt remapping support, as the last character is an "f".

Interrupt remapping will only be enabled if every IOMMU supports it.

Alternatively, run the following script to determine if your system has interrupt remapping support:

    #!/bin/sh
    if [ $(dmesg | grep ecap | wc -l) -eq 0 ]; then
      echo "No interrupt remapping support found"
      exit 1
    fi
    for i in $(dmesg | grep ecap | awk '{print $NF}'); do
      if [ $(( (0x$i & 0xf) >> 3 )) -ne 1 ]; then
        echo "Interrupt remapping not supported"
        exit 1
      fi
    done
    echo "Interrupt remapping support available"
    exit 0
Workaround

If you wish to continue using PCI passthrough without interrupt remapping for KVM guests, the previous, vulnerable behavior can be restored by running the following command as root:

echo 1 > /sys/module/kvm/parameters/allow_unsafe_assigned_interrupts

To make this change persist across reboots, add the following to /etc/modprobe.d/kvm.conf (or create this file, if it does not exist):

options kvm allow_unsafe_assigned_interrupts=1

(Using this option reintroduces CVE-2011-1898.)

Environment: Xen hypervisor running on Red Hat Enterprise Linux 5

Passing a PCI device to a para-virtualized Xen hypervisor guest always works and is therefore vulnerable to CVE-2011-1898. Red Hat recommends that users of para-virtualized Xen hypervisor guests on Red Hat Enterprise Linux 5 hosts only use PCI passthrough with trusted guests.

For users of fully-virtualized Xen hypervisor guests on Red Hat Enterprise Linux 5 hosts that have the RHSA-2011:1479 or RHSA-2012:0358 update installed, the regression affects systems using an Intel processor and chipset that have support for Intel Virtualization Technology for Directed I/O (VT-d), but do not have support for interrupt remapping.

Interrupt remapping support is provided in newer processors and chipsets. To identify if your system has support for interrupt remapping:

  1. Reboot the host and set the log level to info (using the loglvl=info kernel boot option).
  2. Run the xm dmesg | grep "Interrupt Remapping hardware not found" command. If this message is found, there is no interrupt remapping support and PCI passthrough will be disabled for security reasons (PCI devices will not be able to be passed to fully-virtualized guests).
Workaround

If you wish to use PCI passthrough for fully-virtualized Xen hypervisor guests on systems that do not have interrupt remapping, the previous, vulnerable behavior can be restored by rebooting the Xen hypervisor host and using the iommu=no-intremap kernel boot option. Using this option reintroduces CVE-2011-1898.

Note that if your hardware does not support interrupt remapping, and the RHSA-2011:1479 or RHSA-2012:0358 update has been installed, using the iommu=on kernel boot option prevents PCI passthrough to fully-virtualized Xen hypervisor guests (PCI devices will not be able to be assigned to the guest).

Run the cat /proc/cmdline command to view the options the kernel was booted with. Users of GRUB can use the /etc/grub.conf file to make kernel boot options persist across reboots.

Revision history

2012-03-07: Article updated to reflect the release of RHSA-2012:0358 (released on 2012-03-06), which corrected CVE-2011-1898 for Red Hat Enterprise Linux 5.6 Extended Update Support.

[1] Refer to the "PCI passthrough" section of the Red Hat Enterprise Linux 5 Virtualization Guide or to the "PCI device assignment" section of the Red Hat Enterprise Linux 6 Virtualization Guide, available on https://docs.redhat.com/docs/en-US/index.html, for further information about PCI passthrough.

Comments