Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 876790 (CVE-2022-33746, CVE-2022-33747, CVE-2022-33748, CVE-2022-33749)

Summary: <app-emulation/xen-4.15.4_pre1: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hydrapolic, proxy-maint, xen
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/27952
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 877875    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-11 19:48:05 UTC 
CVE-2022-33748 (https://xenbits.xenproject.org/xsa/advisory-411.txt):
http://xenbits.xen.org/xsa/advisory-411.html
http://www.openwall.com/lists/oss-security/2022/10/11/2

lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU.

CVE-2022-33746 (https://xenbits.xenproject.org/xsa/advisory-410.txt):
http://xenbits.xen.org/xsa/advisory-410.html
http://www.openwall.com/lists/oss-security/2022/10/11/3

P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing.

CVE-2022-33749 (https://xenbits.xenproject.org/xsa/advisory-413.txt):
http://xenbits.xen.org/xsa/advisory-413.html
http://www.openwall.com/lists/oss-security/2022/10/11/4

XAPI open file limit DoS It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other (trusted) clients, and blocks XAPI from carrying out any tasks that require the opening of file descriptors.

CVE-2022-33747 (https://xenbits.xenproject.org/xsa/advisory-409.txt):
http://xenbits.xen.org/xsa/advisory-409.html
http://www.openwall.com/lists/oss-security/2022/10/11/5

Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 17:29:24 UTC 
Tomas, these are all fixed in 4.15.4_pre1, then?
Comment 2 Tomáš Mózes 2022-10-22 21:18:19 UTC 
(In reply to John Helmert III from comment #1)
> Tomas, these are all fixed in 4.15.4_pre1, then?

Yes
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 22:15:54 UTC 
Great, thanks!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-25 22:00:33 UTC 
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2022-10-26 14:27:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4bff25a0b75caa9a2bc6a8d34d8f77a267399856

commit 4bff25a0b75caa9a2bc6a8d34d8f77a267399856
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-10-26 05:07:20 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-26 14:26:16 +0000

    app-emulation/xen: drop vulnerable
    
    Bug: https://bugs.gentoo.org/876790
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-emulation/xen/xen-4.15.3.ebuild | 183 ------------------------------------
 app-emulation/xen/xen-4.16.2.ebuild | 174 ----------------------------------
 2 files changed, 357 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-26 14:28:17 UTC 
Thanks!
Comment 7 Larry the Git Cow gentoo-dev 2024-02-04 07:17:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3f8db3fdbc2235dee30f5c1ea206584ecabbe484

commit 3f8db3fdbc2235dee30f5c1ea206584ecabbe484
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-04 07:16:20 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-04 07:16:59 +0000

    [ GLSA 202402-07 ] Xen: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/754105
    Bug: https://bugs.gentoo.org/757126
    Bug: https://bugs.gentoo.org/826998
    Bug: https://bugs.gentoo.org/837575
    Bug: https://bugs.gentoo.org/858122
    Bug: https://bugs.gentoo.org/876790
    Bug: https://bugs.gentoo.org/879031
    Bug: https://bugs.gentoo.org/903624
    Bug: https://bugs.gentoo.org/905389
    Bug: https://bugs.gentoo.org/915970
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-07.xml | 112 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 112 insertions(+)