lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU.
P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing.
XAPI open file limit DoS It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other (trusted) clients, and blocks XAPI from carrying out any tasks that require the opening of file descriptors.
Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings.
Tomas, these are all fixed in 4.15.4_pre1, then?
(In reply to John Helmert III from comment #1)
> Tomas, these are all fixed in 4.15.4_pre1, then?
The bug has been referenced in the following commit(s):
Author: Tomáš Mózes <firstname.lastname@example.org>
AuthorDate: 2022-10-26 05:07:20 +0000
Commit: John Helmert III <email@example.com>
CommitDate: 2022-10-26 14:26:16 +0000
app-emulation/xen: drop vulnerable
Signed-off-by: Tomáš Mózes <firstname.lastname@example.org>
Signed-off-by: John Helmert III <email@example.com>
app-emulation/xen/xen-4.15.3.ebuild | 183 ------------------------------------
app-emulation/xen/xen-4.16.2.ebuild | 174 ----------------------------------
2 files changed, 357 deletions(-)