Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 929038 (CVE-2023-46842, CVE-2024-31142, XSA-454, XSA-455) - <app-emulation/xen-4.17.4: multiple vulnerabilities
Summary: <app-emulation/xen-4.17.4: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2023-46842, CVE-2024-31142, XSA-454, XSA-455
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords: PullRequest
Depends on: 929053
Blocks:
  Show dependency tree
 
Reported: 2024-04-10 05:48 UTC by Tomáš Mózes
Modified: 2024-05-29 09:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2024-04-10 05:48:23 UTC
https://xenbits.xen.org/xsa/advisory-454.html

x86 HVM hypercalls may trigger Xen bug check

ISSUE DESCRIPTION
=================

Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and
other modes.  This in particular means that they may set registers used
to pass 32-bit-mode hypercall arguments to values outside of the range
32-bit code would be able to set them to.

When processing of hypercalls takes a considerable amount of time,
the hypervisor may choose to invoke a hypercall continuation.  Doing so
involves putting (perhaps updated) hypercall arguments in respective
registers.  For guests not running in 64-bit mode this further involves
a certain amount of translation of the values.

Unfortunately internal sanity checking of these translated values
assumes high halves of registers to always be clear when invoking a
hypercall.  When this is found not to be the case, it triggers a
consistency check in the hypervisor and causes a crash.

IMPACT
======

A HVM or PVH guest can cause a hypervisor crash, causing a Denial of
Service (DoS) of the entire host.


https://xenbits.xen.org/xsa/advisory-455.html

x86: Incorrect logic for BTC/SRSO mitigations


ISSUE DESCRIPTION
=================

Because of a logical error in XSA-407 (Branch Type Confusion), the
mitigation is not applied properly when it is intended to be used.
XSA-434 (Speculative Return Stack Overflow) uses the same
infrastructure, so is equally impacted.

For more details, see:
  https://xenbits.xen.org/xsa/advisory-407.html
  https://xenbits.xen.org/xsa/advisory-434.html

IMPACT
======

XSAs 407 and 434 are unmitigated, even when the patches are in place.
Comment 1 Larry the Git Cow gentoo-dev 2024-04-10 06:43:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d31f537201f13b73921965d76da5934c0045a4a9

commit d31f537201f13b73921965d76da5934c0045a4a9
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-04-10 06:23:29 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-04-10 06:43:18 +0000

    app-emulation/xen: add 4.17.4
    
    Fixes XSA-454, XSA-455
    
    Bug: https://bugs.gentoo.org/929038
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest          |   1 +
 app-emulation/xen/xen-4.17.4.ebuild | 179 ++++++++++++++++++++++++++++++++++++
 2 files changed, 180 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7ce4f82dd1b7feb09f791b626796954fff357f2

commit d7ce4f82dd1b7feb09f791b626796954fff357f2
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-04-10 06:22:23 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-04-10 06:43:17 +0000

    app-emulation/xen-tools: add 4.17.4
    
    Fixes XSA-454, XSA-455
    
    Bug: https://bugs.gentoo.org/929038
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen-tools/Manifest                |   1 +
 app-emulation/xen-tools/xen-tools-4.17.4.ebuild | 524 ++++++++++++++++++++++++
 2 files changed, 525 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-05-29 08:32:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c37fde91730804f6895e61e65b1d98c215efbf9

commit 1c37fde91730804f6895e61e65b1d98c215efbf9
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-05-28 16:39:56 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2024-05-29 08:31:35 +0000

    app-emulation/xen: drop 4.17.4_pre2
    
    Bug: https://bugs.gentoo.org/929038
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/36435
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 app-emulation/xen/Manifest               |   2 -
 app-emulation/xen/xen-4.17.4_pre2.ebuild | 179 -------------------------------
 2 files changed, 181 deletions(-)