CVE-2021-28710: ISSUE DESCRIPTION ================= For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table's address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries. IMPACT ====== A malicious guest may be able to escalate its privileges to that of the host. VULNERABLE SYSTEMS ================== Xen version 4.15 is vulnerable. Xen versions 4.14 and earlier are not vulnerable. Only x86 Intel systems with IOMMU(s) in use are affected. Arm systems, non-Intel x86 systems, and x86 systems without IOMMU are not affected.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01eab127a243956ce4de2e0b9ce1221352851c86 commit 01eab127a243956ce4de2e0b9ce1221352851c86 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2021-11-24 06:11:59 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2021-11-24 07:43:30 +0000 app-emulation/xen: add 4.14.3-r2 and 4.15.1-r2 Bug: https://bugs.gentoo.org/825354 Bug: https://bugs.gentoo.org/826998 Closes: https://bugs.gentoo.org/819408 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/23064 Signed-off-by: Florian Schmaus <flow@gentoo.org> app-emulation/xen/Manifest | 2 + app-emulation/xen/xen-4.14.3-r2.ebuild | 163 +++++++++++++++++++++++++++++++++ app-emulation/xen/xen-4.15.1-r2.ebuild | 163 +++++++++++++++++++++++++++++++++ 3 files changed, 328 insertions(+)
Very sorry this was missed.
GLSA request filed
GLSA done, all done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1 commit 22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-14 14:28:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-14 14:33:57 +0000 [ GLSA 202208-23 ] Xen: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/810341 Bug: https://bugs.gentoo.org/812485 Bug: https://bugs.gentoo.org/816882 Bug: https://bugs.gentoo.org/825354 Bug: https://bugs.gentoo.org/832039 Bug: https://bugs.gentoo.org/835401 Bug: https://bugs.gentoo.org/850802 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202208-23.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+)