QSB-075: Insufficient cleanup of passed-through device IRQs (XSA-395)

We have just published Qubes Security Bulletin (QSB) 075: Insufficient cleanup of passed-through device IRQs (XSA-395). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).

View QSB-075 in the qubes-secpack:


In addition, you may wish to:

             ---===[ Qubes Security Bulletin 075 ]===---


    Insufficient cleanup of passed-through device IRQs (XSA-395)

User action required

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0, in dom0:
  - Xen packages, version 4.8.5-37

  For Qubes 4.1, in dom0:
  - Xen packages, version 4.14.3-8

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new Xen


On 2022-01-25, the Xen project published XSA-395, "Insufficient cleanup
of passed-through device IRQs" [3]:

| The management of IRQs associated with physical devices exposed to x86
| HVM guests involves an iterative operation in particular when cleaning
| up after the guest's use of the device.  In the case where an
| interrupt is not quiescent yet at the time this cleanup gets invoked,
| the cleanup attempt may be scheduled to be retried.  When multiple
| interrupts are involved, this scheduling of a retry may get
| erroneously skipped.  At the same time pointers may get cleared
| (resulting in a de-reference of NULL) and freed (resulting in a
| use-after-free), while other code would continue to assume them to be
| valid.


The precise impact is system-specific but would typically be a denial of
service (DoS) affecting the entire host.  Privilege escalation and
information leaks cannot be ruled out.

Only x86 HVM guests with one or more passed-through physical devices
using multiple physical interrupts together can exploit this
vulnerability. In Qubes, this generally applies to sys-usb and sys-net,
but whether the relevant devices use multiple interrupts together is


See the original Xen Security Advisory.


[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-395.html

The Qubes Security Team

This is a companion discussion topic for the original entry at https://www.qubes-os.org/news/2022/01/25/qsb-075/