CVE-2022-33748 (https://xenbits.xenproject.org/xsa/advisory-411.txt): http://xenbits.xen.org/xsa/advisory-411.html http://www.openwall.com/lists/oss-security/2022/10/11/2 lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU. CVE-2022-33746 (https://xenbits.xenproject.org/xsa/advisory-410.txt): http://xenbits.xen.org/xsa/advisory-410.html http://www.openwall.com/lists/oss-security/2022/10/11/3 P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing. CVE-2022-33749 (https://xenbits.xenproject.org/xsa/advisory-413.txt): http://xenbits.xen.org/xsa/advisory-413.html http://www.openwall.com/lists/oss-security/2022/10/11/4 XAPI open file limit DoS It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other (trusted) clients, and blocks XAPI from carrying out any tasks that require the opening of file descriptors. CVE-2022-33747 (https://xenbits.xenproject.org/xsa/advisory-409.txt): http://xenbits.xen.org/xsa/advisory-409.html http://www.openwall.com/lists/oss-security/2022/10/11/5 Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings.
Tomas, these are all fixed in 4.15.4_pre1, then?
(In reply to John Helmert III from comment #1) > Tomas, these are all fixed in 4.15.4_pre1, then? Yes
Great, thanks!
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4bff25a0b75caa9a2bc6a8d34d8f77a267399856 commit 4bff25a0b75caa9a2bc6a8d34d8f77a267399856 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2022-10-26 05:07:20 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-26 14:26:16 +0000 app-emulation/xen: drop vulnerable Bug: https://bugs.gentoo.org/876790 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: John Helmert III <ajak@gentoo.org> app-emulation/xen/xen-4.15.3.ebuild | 183 ------------------------------------ app-emulation/xen/xen-4.16.2.ebuild | 174 ---------------------------------- 2 files changed, 357 deletions(-)
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3f8db3fdbc2235dee30f5c1ea206584ecabbe484 commit 3f8db3fdbc2235dee30f5c1ea206584ecabbe484 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-04 07:16:20 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-02-04 07:16:59 +0000 [ GLSA 202402-07 ] Xen: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/754105 Bug: https://bugs.gentoo.org/757126 Bug: https://bugs.gentoo.org/826998 Bug: https://bugs.gentoo.org/837575 Bug: https://bugs.gentoo.org/858122 Bug: https://bugs.gentoo.org/876790 Bug: https://bugs.gentoo.org/879031 Bug: https://bugs.gentoo.org/903624 Bug: https://bugs.gentoo.org/905389 Bug: https://bugs.gentoo.org/915970 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202402-07.xml | 112 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+)
