We have just published Qubes Security Bulletin (QSB) 075: Insufficient cleanup of passed-through device IRQs (XSA-395). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-075 in the qubes-secpack:
In addition, you may wish to:
- Get the qubes-secpack: https://www.qubes-os.org/security/pack/
- View all past QSBs: https://www.qubes-os.org/security/qsb/
- View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 075 ]===--- 2022-01-25 Insufficient cleanup of passed-through device IRQs (XSA-395) User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0, in dom0: - Xen packages, version 4.8.5-37 For Qubes 4.1, in dom0: - Xen packages, version 4.14.3-8 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community.  Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents.  Dom0 must be restarted afterward in order for the updates to take effect. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Summary -------- On 2022-01-25, the Xen project published XSA-395, "Insufficient cleanup of passed-through device IRQs" : | The management of IRQs associated with physical devices exposed to x86 | HVM guests involves an iterative operation in particular when cleaning | up after the guest's use of the device. In the case where an | interrupt is not quiescent yet at the time this cleanup gets invoked, | the cleanup attempt may be scheduled to be retried. When multiple | interrupts are involved, this scheduling of a retry may get | erroneously skipped. At the same time pointers may get cleared | (resulting in a de-reference of NULL) and freed (resulting in a | use-after-free), while other code would continue to assume them to be | valid. Impact ------- The precise impact is system-specific but would typically be a denial of service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. Only x86 HVM guests with one or more passed-through physical devices using multiple physical interrupts together can exploit this vulnerability. In Qubes, this generally applies to sys-usb and sys-net, but whether the relevant devices use multiple interrupts together is system-specific. Credits -------- See the original Xen Security Advisory. References -----------  https://www.qubes-os.org/doc/testing/  https://www.qubes-os.org/doc/how-to-update/  https://xenbits.xen.org/xsa/advisory-395.html -- The Qubes Security Team https://www.qubes-os.org/security/
This is a companion discussion topic for the original entry at https://www.qubes-os.org/news/2022/01/25/qsb-075/