812485 – (CVE-2021-28701, XSA-384) <app-emulation/xen-{4.14.3,4.15.1}: race in XENMAPSPACE_grant_table (CVE-2021-28701)

Bug 812485 (CVE-2021-28701, XSA-384) - <app-emulation/xen-{4.14.3,4.15.1}: race in XENMAPSPACE_grant_table (CVE-2021-28701)

Summary: <app-emulation/xen-{4.14.3,4.15.1}: race in XENMAPSPACE_grant_table (CVE-2021...

Status:	RESOLVED FIXED

Alias:	CVE-2021-28701, XSA-384

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://xenbits.xen.org/xsa/advisory-3...
Whiteboard:	B4 [glsa+]
Keywords:

Depends on:	CVE-2021-28694, CVE-2021-28695, CVE-2021-28696, CVE-2021-28697, CVE-2021-28698, CVE-2021-28699, CVE-2021-28700, XSA-378, XSA-379, XSA-380, XSA-382, XSA-383
Blocks:
	Show dependency tree

Reported:	2021-09-10 19:28 UTC by John Helmert III
Modified:	2022-08-14 14:34 UTC (History)
CC List:	4 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/22270
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-09-10 19:28:42 UTC

CVE-2021-28701:

Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.

Comment 1 Larry the Git Cow gentoo-dev

2021-09-18 09:50:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f2c2f779b6943e83e77b248b567c1e1d840c137

commit 4f2c2f779b6943e83e77b248b567c1e1d840c137
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-09-11 11:01:18 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-09-18 09:49:58 +0000

    app-emulation/xen: bump to 4.14.3/4.15.1
    
    Bug: https://bugs.gentoo.org/812485
    Bug: https://bugs.gentoo.org/810341
    Closes: https://bugs.gentoo.org/800935
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/22270
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-emulation/xen/Manifest                   |   2 +
 app-emulation/xen/files/xen-4.15-flask.patch |  13 +++
 app-emulation/xen/xen-4.14.3.ebuild          | 167 +++++++++++++++++++++++++++
 app-emulation/xen/xen-4.15.1.ebuild          | 167 +++++++++++++++++++++++++++
 4 files changed, 349 insertions(+)

Comment 2 Tomáš Mózes 2021-12-18 01:13:11 UTC

This is done, tree clean.

Comment 3 John Helmert III archtester

2022-08-14 04:51:55 UTC

GLSA request filed

Comment 4 Sam James archtester

2022-08-14 14:30:49 UTC

GLSA done, all done.

Comment 5 Larry the Git Cow gentoo-dev

2022-08-14 14:34:01 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1

commit 22bc39ed12fa34e39fcf5a2559a7f2135d98e1b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:28:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-23 ] Xen: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/810341
    Bug: https://bugs.gentoo.org/812485
    Bug: https://bugs.gentoo.org/816882
    Bug: https://bugs.gentoo.org/825354
    Bug: https://bugs.gentoo.org/832039
    Bug: https://bugs.gentoo.org/835401
    Bug: https://bugs.gentoo.org/850802
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-23.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)