QSB-103: Double unlock in x86 guest IRQ handling (XSA-458)

We have published Qubes Security Bulletin (QSB) 103: Double unlock in x86 guest IRQ handling (XSA-458). The text of this QSB and its accompanying cryptographic signatures are reproduced below, followed by a general explanation of this announcement and authentication instructions.

Qubes Security Bulletin 103


---===[ Qubes Security Bulletin 103 ]===---

2024-07-16

Double unlock in x86 guest IRQ handling (XSA-458)

User action
------------

Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.

Summary
--------

On 2024-07-16, the Xen Project published XSA-458, "double unlock in x86
guest IRQ handling" [3]:
| An optional feature of PCI MSI called "Multiple Message" allows a
| device to use multiple consecutive interrupt vectors. Unlike for
| MSI-X, the setting up of these consecutive vectors needs to happen all
| in one go. In this handling an error path could be taken in different
| situations, with or without a particular lock held. This error path
| wrongly releases the lock even when it is not currently held.

Impact
-------

An attacker who compromises a qube with an attached PCI device that has
multi-vector MSI capability (e.g., sys-net or sys-usb in the default
Qubes OS configuration) can attempt to exploit this vulnerability in
order to compromise Qubes OS.

Affected systems
-----------------

Both Qubes OS 4.1 and 4.2 are affected.

Patching
---------

The following packages contain security updates that address the
vulnerabilities described in this bulletin:

For Qubes 4.1, in dom0:
- Xen packages, version 4.14.6-10

For Qubes 4.2, in dom0:
- Xen packages, version 4.17.4-4

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.

Credits
--------

See the original Xen Security Advisory.

References
-----------

[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-458.html

The Qubes Security Team
https://www.qubes-os.org/security/



Source: qsb-103-2024.txt

Marek Marczykowski-Górecki’s PGP signature