921355 – (CVE-2023-46837, XSA-447) <app-emulation/xen-{4.16.6_pre2,4.17.3}: arm32: The cache may not be properly cleaned/invalidated

Bug 921355 (CVE-2023-46837, XSA-447) - <app-emulation/xen-{4.16.6_pre2,4.17.3}: arm32: The cache may not be properly cleaned/invalidated

Summary: <app-emulation/xen-{4.16.6_pre2,4.17.3}: arm32: The cache may not be properly...

Status:	RESOLVED FIXED

Alias:	CVE-2023-46837, XSA-447

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	C4 [glsa+]
Keywords:	PullRequest

Depends on:	922051
Blocks:
	Show dependency tree

Reported:	2024-01-04 12:08 UTC by Tomáš Mózes
Modified:	2024-09-22 06:43 UTC (History)
CC List:	4 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/34713
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomáš Mózes 2024-01-04 12:08:26 UTC

https://xenbits.xen.org/xsa/advisory-447.html

ISSUE DESCRIPTION
=================

Arm provides multiple helpers to clean & invalidate the cache
for a given region.  This is, for instance, used when allocating
guest memory to ensure any writes (such as the ones during scrubbing)
have reached memory before handing over the page to a guest.

Unfortunately, the arithmetics in the helpers can overflow and would
then result to skip the cache cleaning/invalidation.  Therefore there
is no guarantee when all the writes will reach the memory.

This undefined behavior was meant to be addressed by XSA-437, but the
approach was not sufficient.

IMPACT
======

A malicious guest may be able to read sensitive data from memory that
previously belonged to another guest.

VULNERABLE SYSTEMS
==================

Systems running all version of Xen are affected.

Only systems running Xen on Arm 32-bit are vulnerable.  Xen on Arm 64-bit
is not affected.

Comment 1 Larry the Git Cow gentoo-dev

2024-01-09 08:53:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1da2b08b738151d1c02a097dbb56313d371dd9c7

commit 1da2b08b738151d1c02a097dbb56313d371dd9c7
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-01-08 16:35:11 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-01-09 08:52:43 +0000

    app-emulation/xen: add upstream patches
    
    Bug: https://bugs.gentoo.org/918669
    Bug: https://bugs.gentoo.org/921355
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/34713
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest               |   2 +
 app-emulation/xen/xen-4.16.6_pre2.ebuild | 174 ++++++++++++++++++++++++++++++
 app-emulation/xen/xen-4.17.3.ebuild      | 179 +++++++++++++++++++++++++++++++
 3 files changed, 355 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-09-22 06:42:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=ea0d6e72b1ba346264d25ab8bdd78f6551eaaadf

commit ea0d6e72b1ba346264d25ab8bdd78f6551eaaadf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 06:41:59 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 06:42:08 +0000

    [ GLSA 202409-10 ] Xen: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/918669
    Bug: https://bugs.gentoo.org/921355
    Bug: https://bugs.gentoo.org/923741
    Bug: https://bugs.gentoo.org/928620
    Bug: https://bugs.gentoo.org/929038
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-10.xml | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)