Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 812485 (CVE-2021-28701, XSA-384)

Summary: <app-emulation/xen-{4.14.3,4.15.1}: race in XENMAPSPACE_grant_table (CVE-2021-28701)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: flow, hydrapolic, proxy-maint, xen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 810341    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-10 19:28:42 UTC

Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.
Comment 1 Larry the Git Cow gentoo-dev 2021-09-18 09:50:10 UTC
The bug has been referenced in the following commit(s):

commit 4f2c2f779b6943e83e77b248b567c1e1d840c137
Author:     Tomáš Mózes <>
AuthorDate: 2021-09-11 11:01:18 +0000
Commit:     Joonas Niilola <>
CommitDate: 2021-09-18 09:49:58 +0000

    app-emulation/xen: bump to 4.14.3/4.15.1
    Signed-off-by: Tomáš Mózes <>
    Signed-off-by: Joonas Niilola <>

 app-emulation/xen/Manifest                   |   2 +
 app-emulation/xen/files/xen-4.15-flask.patch |  13 +++
 app-emulation/xen/xen-4.14.3.ebuild          | 167 +++++++++++++++++++++++++++
 app-emulation/xen/xen-4.15.1.ebuild          | 167 +++++++++++++++++++++++++++
 4 files changed, 349 insertions(+)
Comment 2 Tomáš Mózes 2021-12-18 01:13:11 UTC
This is done, tree clean.