Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 929038 (CVE-2023-46842, CVE-2024-31142, XSA-454, XSA-455)

Summary: <app-emulation/xen-4.17.4: multiple vulnerabilities
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hydrapolic, proxy-maint, xen
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/36187
https://github.com/gentoo/gentoo/pull/36435
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 929053    
Bug Blocks:    

Description Tomáš Mózes 2024-04-10 05:48:23 UTC
https://xenbits.xen.org/xsa/advisory-454.html

x86 HVM hypercalls may trigger Xen bug check

ISSUE DESCRIPTION
=================

Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and
other modes.  This in particular means that they may set registers used
to pass 32-bit-mode hypercall arguments to values outside of the range
32-bit code would be able to set them to.

When processing of hypercalls takes a considerable amount of time,
the hypervisor may choose to invoke a hypercall continuation.  Doing so
involves putting (perhaps updated) hypercall arguments in respective
registers.  For guests not running in 64-bit mode this further involves
a certain amount of translation of the values.

Unfortunately internal sanity checking of these translated values
assumes high halves of registers to always be clear when invoking a
hypercall.  When this is found not to be the case, it triggers a
consistency check in the hypervisor and causes a crash.

IMPACT
======

A HVM or PVH guest can cause a hypervisor crash, causing a Denial of
Service (DoS) of the entire host.


https://xenbits.xen.org/xsa/advisory-455.html

x86: Incorrect logic for BTC/SRSO mitigations


ISSUE DESCRIPTION
=================

Because of a logical error in XSA-407 (Branch Type Confusion), the
mitigation is not applied properly when it is intended to be used.
XSA-434 (Speculative Return Stack Overflow) uses the same
infrastructure, so is equally impacted.

For more details, see:
  https://xenbits.xen.org/xsa/advisory-407.html
  https://xenbits.xen.org/xsa/advisory-434.html

IMPACT
======

XSAs 407 and 434 are unmitigated, even when the patches are in place.
Comment 1 Larry the Git Cow gentoo-dev 2024-04-10 06:43:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d31f537201f13b73921965d76da5934c0045a4a9

commit d31f537201f13b73921965d76da5934c0045a4a9
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-04-10 06:23:29 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-04-10 06:43:18 +0000

    app-emulation/xen: add 4.17.4
    
    Fixes XSA-454, XSA-455
    
    Bug: https://bugs.gentoo.org/929038
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest          |   1 +
 app-emulation/xen/xen-4.17.4.ebuild | 179 ++++++++++++++++++++++++++++++++++++
 2 files changed, 180 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7ce4f82dd1b7feb09f791b626796954fff357f2

commit d7ce4f82dd1b7feb09f791b626796954fff357f2
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-04-10 06:22:23 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-04-10 06:43:17 +0000

    app-emulation/xen-tools: add 4.17.4
    
    Fixes XSA-454, XSA-455
    
    Bug: https://bugs.gentoo.org/929038
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen-tools/Manifest                |   1 +
 app-emulation/xen-tools/xen-tools-4.17.4.ebuild | 524 ++++++++++++++++++++++++
 2 files changed, 525 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-05-29 08:32:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c37fde91730804f6895e61e65b1d98c215efbf9

commit 1c37fde91730804f6895e61e65b1d98c215efbf9
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-05-28 16:39:56 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-05-29 08:31:35 +0000

    app-emulation/xen: drop 4.17.4_pre2
    
    Bug: https://bugs.gentoo.org/929038
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/36435
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest               |   2 -
 app-emulation/xen/xen-4.17.4_pre2.ebuild | 179 -------------------------------
 2 files changed, 181 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2024-09-22 06:42:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=ea0d6e72b1ba346264d25ab8bdd78f6551eaaadf

commit ea0d6e72b1ba346264d25ab8bdd78f6551eaaadf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 06:41:59 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 06:42:08 +0000

    [ GLSA 202409-10 ] Xen: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/918669
    Bug: https://bugs.gentoo.org/921355
    Bug: https://bugs.gentoo.org/923741
    Bug: https://bugs.gentoo.org/928620
    Bug: https://bugs.gentoo.org/929038
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-10.xml | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)