Qubes OS 45 Published by

The Qubes operating system has received an update that addresses the inappropriate handling of PCI devices that have phantom functions:

QSB-100: Incorrect handling of PCI devices with phantom functions (XSA-449)

QSB-100: Incorrect handling of PCI devices with phantom functions (XSA-449)

We have published Qubes Security Bulletin 100: Incorrect handling of PCI devices with phantom functions (XSA-449). The text of this QSB and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this QSB, please see the end of this announcement.

Qubes Security Bulletin 100

---===[ Qubes Security Bulletin 100 ]===---


Incorrect handling of PCI devices with phantom functions (XSA-449)

User action

Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.


On 2024-01-30, the Xen Project published XSA-449, "pci: phantom
functions assigned to incorrect contexts" [3]:

| PCI devices can make use of a functionality called phantom functions,
| that when enabled allows the device to generate requests using the IDs
| of functions that are otherwise unpopulated. This allows a device to
| extend the number of outstanding requests.
| Such phantom functions need an IOMMU context setup, but failure to
| setup the context is not fatal when the device is assigned. Not
| failing device assignment when such failure happens can lead to the
| primary device being assigned to a guest, while some of the phantom
| functions are assigned to a different domain.


The impact as described by the Xen Project:

| Under certain circumstances a malicious guest assigned a PCI device
| with phantom functions may be able to access memory from a previous
| owner of the device.

In Qubes OS this means a PCI device that should be assigned to some qube
(like sys-net or sys-usb) may retain access to dom0 memory. When that
happens, the qube to which that device is assigned can compromise the
whole system. But, a malicious qube cannot itself cause this condition,
as it happens before it is running. For such attack to be feasible, it
needs to be combined with some other method to cause PCI device
assignment to fail.

Affected systems

All Qubes OS versions are affected. Only systems on which at lest one
passed-through PCI device has phantom functions are affected.


The following packages contain security updates that address the
vulnerabilities described in this bulletin:

For Qubes 4.1, in dom0:
- Xen packages, version 4.14.6-6

For Qubes 4.2, in dom0:
- Xen packages, version 4.17.3-2

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]

Dom0 must be restarted afterward in order for the updates to take

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


See the original Xen Security Advisory.


[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-449.html

The Qubes Security Team

Source: https://github.com/QubesOS/qubes-secpack/blob/main/QSBs/qsb-100-2024.txt

Marek Marczykowski-Górecki’s PGP signature