ISSUE DESCRIPTION ================= Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR"). These are typically used for platform tasks such as legacy USB emulation. If such a device is passed through to a guest, then on guest shutdown the device is not properly deassigned. The IOMMU configuration for these devices which are not properly deassigned ends up pointing to a freed data structure, including the IO Pagetables. Subsequent DMA or interrupts from the device will have unpredictable behaviour, ranging from IOMMU faults to memory corruption. This bug has existed since at least Xen 4.4 But it was previously masked by a tangentially-related misbehaviour; that misbehaviour was corrected in f591755823a7 IOMMU/PCI: don't let domain cleanup continue when device de-assignment failed which was backported to supported stable branches. IMPACT ====== Administrators of guests which have been assigned RMRR-using PCI devices can cause denial of service and other problems, possibly including escalation of privilege. VULNERABLE SYSTEMS ================== For stable Xen releases: 4.13.4, 4.14.3 and 4.15.1 are vulnerable. Other versions of Xen released by the Xen Project are not affected.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78d3124bdd04e9ccc71dd98aebf63d940e9032ca commit 78d3124bdd04e9ccc71dd98aebf63d940e9032ca Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-10-12 06:39:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-10-20 09:59:23 +0000 app-emulation/xen: add upstream security patches Bug: https://bugs.gentoo.org/816882 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> app-emulation/xen/Manifest | 2 + app-emulation/xen/xen-4.14.3-r1.ebuild | 167 +++++++++++++++++++++++++++++++++ app-emulation/xen/xen-4.15.1-r1.ebuild | 167 +++++++++++++++++++++++++++++++++ 3 files changed, 336 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abb409bcf43be1f9ce250459f6dbf126b1dcf50d commit abb409bcf43be1f9ce250459f6dbf126b1dcf50d Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-11-04 14:28:57 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-11-12 13:03:54 +0000 app-emulation/xen: drop vulnerable Bug: https://bugs.gentoo.org/816882 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/22816 Signed-off-by: Joonas Niilola <juippis@gentoo.org> app-emulation/xen/xen-4.14.3.ebuild | 167 ------------------------------------ 1 file changed, 167 deletions(-)
This is done, tree clean.
GLSA request filed
GLSA done, all done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1 commit 22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 14:28:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 14:33:57 +0000 [ GLSA 202208-23 ] Xen: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/810341 Bug: https://bugs.gentoo.org/812485 Bug: https://bugs.gentoo.org/816882 Bug: https://bugs.gentoo.org/825354 Bug: https://bugs.gentoo.org/832039 Bug: https://bugs.gentoo.org/835401 Bug: https://bugs.gentoo.org/850802 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-23.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+)