We have just published Qubes Security Bulletin (QSB) 080: Issues with PV domains and PCI passthrough (XSA-401, XSA-402). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-080 in the qubes-secpack:
In addition, you may wish to:
- Get the qubes-secpack: https://www.qubes-os.org/security/pack/
- View all past QSBs: https://www.qubes-os.org/security/qsb/
- View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 080 ]===--- 2022-06-09 Issues with PV domains and PCI passthrough (XSA-401, XSA-402) User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0, in dom0: - Xen packages, version 4.8.5-40 For Qubes 4.1, in dom0: - Xen packages, version 4.14.5-2 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community.  Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents.  Dom0 must be restarted afterward in order for the updates to take effect. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Summary -------- The following security advisories were published on 2022-06-09: XSA-401  "x86 pv: Race condition in typeref acquisition": | Xen maintains a type reference count for pages, in addition to a | regular reference count. This scheme is used to maintain invariants | required for Xen's safety, e.g. PV guests may not have direct | writeable access to pagetables; updates need auditing by Xen. | | Unfortunately, the logic for acquiring a type reference has a race | condition, whereby a safely TLB flush is issued too early and creates | a window where the guest can re-establish the read/write mapping | before writeability is prohibited. XSA-402  "x86 pv: Insufficient care with non-coherent mappings": | Xen maintains a type reference count for pages, in addition to a | regular reference count. This scheme is used to maintain invariants | required for Xen's safety, e.g. PV guests may not have direct | writeable access to pagetables; updates need auditing by Xen. | | Unfortunately, Xen's safety logic doesn't account for CPU-induced | cache non-coherency; cases where the CPU can cause the content of the | cache to be different to the content in main memory. In such cases, | Xen's safety logic can incorrectly conclude that the contents of a | page is safe. Impact ------- These vulnerabilities, if exploited, could allow malicious PV domains with assigned PCI devices to escalate their privileges to that of the host. However, in the default Qubes OS configuration, these vulnerabilities affect only the stubdomains for sys-net and sys-usb. Therefore, in order to exploit these vulnerabilities in a default Qubes installation, an adversary would first have to discover and exploit an independent vulnerability in QEMU in order to gain control of an appropriate stubdomain. Only after having done so would the adversary be in a position to attempt to exploit the vulnerabilities discussed in this bulletin. XSA-402 affects only AMD systems and Intel systems before Ivy Bridge (the third generation of the Intel Core processors). Newer Intel systems are not affected. Credits -------- See the original Xen Security Advisory. References -----------  https://www.qubes-os.org/doc/testing/  https://www.qubes-os.org/doc/how-to-update/  https://xenbits.xen.org/xsa/advisory-401.html  https://xenbits.xen.org/xsa/advisory-402.html -- The Qubes Security Team https://www.qubes-os.org/security/