Xen PCI Device Unplug Permission Leak Vulnerability

A vulnerability exists in Xen's libxl library, affecting versions 4.0 and newer, where the detach logic for PCI device passthrough does not properly remove access permissions to 64-bit memory Base Address Registers (BARs) once a device is unplugged. This oversight allows a domain to retain access to the memory BARs of disconnected PCI devices. In Paravirtualized (PV) domains, this permission leak enables the domain to map the memory into its page tables. For Hardware Virtual Machine (HVM) domains, exploiting this leak requires a compromised device model or stub domain to map the memory into the HVM domain's physical-to-machine (p2m) mapping.

Impact

Exploitation of this vulnerability allows a PV guest to access the memory of PCI devices that are no longer assigned to it. In HVM domains, accessing the leaked memory requires an additional compromised component.

Remediation

To address this vulnerability, avoid hot unplugging PCI devices. For HVM domains, ensure that no untrusted components are present that could exploit the memory leak.