Bug 825354 (CVE-2021-28710, XSA-390)

Summary:	<app-emulation/xen-{4.14.3-r2,4.15.1-r2}: privilege escalation
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	hydrapolic, proxy-maint, xen
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://xenbits.xenproject.org/xsa/advisory-390.html
See Also:	https://github.com/gentoo/gentoo/pull/23064 https://bugs.gentoo.org/show_bug.cgi?id=827094
Whiteboard:	B1 [glsa+]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-11-20 20:10:04 UTC

CVE-2021-28710:

ISSUE DESCRIPTION
=================

For efficiency reasons, address translation control structures (page
tables) may (and, on suitable hardware, by default will) be shared
between CPUs, for second-level translation (EPT), and IOMMUs.  These
page tables are presently set up to always be 4 levels deep.  However,
an IOMMU may require the use of just 3 page table levels.  In such a
configuration the lop level table needs to be stripped before
inserting the root table's address into the hardware pagetable base
register.  When sharing page tables, Xen erroneously skipped this
stripping.  Consequently, the guest is able to write to leaf page
table entries.

IMPACT
======

A malicious guest may be able to escalate its privileges to that of
the host.

VULNERABLE SYSTEMS
==================

Xen version 4.15 is vulnerable.  Xen versions 4.14 and earlier are not
vulnerable.

Only x86 Intel systems with IOMMU(s) in use are affected.  Arm
systems, non-Intel x86 systems, and x86 systems without IOMMU are not
affected.

Comment 1 Larry the Git Cow gentoo-dev

2021-11-24 07:44:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01eab127a243956ce4de2e0b9ce1221352851c86

commit 01eab127a243956ce4de2e0b9ce1221352851c86
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-11-24 06:11:59 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2021-11-24 07:43:30 +0000

    app-emulation/xen: add 4.14.3-r2 and 4.15.1-r2
    
    Bug: https://bugs.gentoo.org/825354
    Bug: https://bugs.gentoo.org/826998
    Closes: https://bugs.gentoo.org/819408
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/23064
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest             |   2 +
 app-emulation/xen/xen-4.14.3-r2.ebuild | 163 +++++++++++++++++++++++++++++++++
 app-emulation/xen/xen-4.15.1-r2.ebuild | 163 +++++++++++++++++++++++++++++++++
 3 files changed, 328 insertions(+)

Comment 2 John Helmert III archtester

2022-07-15 03:50:50 UTC

Very sorry this was missed.

Comment 3 John Helmert III archtester

2022-08-14 04:51:56 UTC

GLSA request filed

Comment 4 Sam James archtester

2022-08-14 14:31:03 UTC

GLSA done, all done.

Comment 5 Larry the Git Cow gentoo-dev

2022-08-14 14:34:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1

commit 22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:28:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-23 ] Xen: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/810341
    Bug: https://bugs.gentoo.org/812485
    Bug: https://bugs.gentoo.org/816882
    Bug: https://bugs.gentoo.org/825354
    Bug: https://bugs.gentoo.org/832039
    Bug: https://bugs.gentoo.org/835401
    Bug: https://bugs.gentoo.org/850802
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-23.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)