Summary: | <app-emulation/xen-{4.15.1-r3,4.16.0-r2}: multiple vulnerabilities in Xen (CVE-2022-{23033,23034,23035}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | filip ambroz <filip.ambroz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hydrapolic, proxy-maint, xen |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/23993 https://github.com/gentoo/gentoo/pull/24276 |
||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 833750 | ||
Bug Blocks: |
Description
filip ambroz
2022-01-25 12:50:44 UTC
Please also beware of the bug: [Xen Security Advisory 395 v2 (CVE-2022-23035)] URL: https://seclists.org/oss-sec/2022/q1/73 Insufficient cleanup of passed-through device IRQs Not Affecting Xen versions in the portage tree (Xen versions 4.6 and later are vulnerable. Xen versions 4.5 and earlier are not vulnerable.) (In reply to filip ambroz from comment #1) > Please also beware of the bug: > > [Xen Security Advisory 395 v2 (CVE-2022-23035)] > URL: https://seclists.org/oss-sec/2022/q1/73 > > Insufficient cleanup of passed-through device IRQs > > Not Affecting Xen versions in the portage tree > (Xen versions 4.6 and later are vulnerable. Xen versions 4.5 and earlier are > not vulnerable.) Seems our versions are a bit higher than 4.6, though? [Xen Security Advisory 395 v2 (CVE-2022-23035)] URL: https://seclists.org/oss-sec/2022/q1/73 ISSUE DESCRIPTION ================= The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid. IMPACT ====== The precise impact is system specific, but would typically be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. VULNERABLE SYSTEMS ================== Xen versions 4.6 and later are vulnerable. Xen versions 4.5 and earlier are not vulnerable. Only x86 HVM guests with one or more passed-through physical devices using (together) multiple physical interupts can leverage the vulnerability. x86 PV guests cannot leverage the vulnerability. x86 HVM guests without passed-through devices or with a passed-through device using just a single physical interrupt also cannot leverage the vulnerability. Device pass-through is unsupported for x86 PVH guests and all Arm guests. MITIGATION ========== There is no mitigation (other than not passing through to x86 HVM guests PCI devices with, overall, more than a single physical interrupt). RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa395.patch xen-unstable - Xen 4.15.x xsa395-4.14.patch Xen 4.14.x - Xen 4.12.x $ sha256sum xsa395* f460be598b936bb5cfb9276787f2f21d90b029d1fe10dabd572ae50f84a1124d xsa395.meta 295b876c52cf5efe19150757275da3d154beb72ac2d7be267e16c9262e410de3 xsa395.patch 5697f3137e0a202744f31b1c6cbcfa459d8fa9b4b68be59561b78c40fe1233c5 xsa395-4.14.patch $ (In reply to John Helmert III from comment #2) > (In reply to filip ambroz from comment #1) > > Please also beware of the bug: > > > > [Xen Security Advisory 395 v2 (CVE-2022-23035)] > > URL: https://seclists.org/oss-sec/2022/q1/73 > > > > Insufficient cleanup of passed-through device IRQs > > > > Not Affecting Xen versions in the portage tree > > (Xen versions 4.6 and later are vulnerable. Xen versions 4.5 and earlier are > > not vulnerable.) > > Seems our versions are a bit higher than 4.6, though? Obviously you are right :) All three bugs apply. Thank you for pointing that out! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30103c3739d852d6b78be7ef9d64c480dd4eb5ad commit 30103c3739d852d6b78be7ef9d64c480dd4eb5ad Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2022-01-28 08:22:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-18 02:52:36 +0000 app-emulation/xen: add upstream security patches Bug: https://bugs.gentoo.org/832039 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> app-emulation/xen/Manifest | 2 + app-emulation/xen/xen-4.15.1-r3.ebuild | 163 ++++++++++++++++++++++++++++++++ app-emulation/xen/xen-4.16.0-r2.ebuild | 164 +++++++++++++++++++++++++++++++++ 3 files changed, 329 insertions(+) Thanks, please cleanup! GLSA request filed GLSA done, all done. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1 commit 22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 14:28:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 14:33:57 +0000 [ GLSA 202208-23 ] Xen: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/810341 Bug: https://bugs.gentoo.org/812485 Bug: https://bugs.gentoo.org/816882 Bug: https://bugs.gentoo.org/825354 Bug: https://bugs.gentoo.org/832039 Bug: https://bugs.gentoo.org/835401 Bug: https://bugs.gentoo.org/850802 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-23.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) |