Source: xen Version: 4.17.0+46-gaaf74a532c-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for xen. CVE-2022-42331[0]: | x86: speculative vulnerability in 32bit SYSCALL path Due to an | oversight in the very original Spectre/Meltdown security work | (XSA-254), one entrypath performs its speculation-safety actions too | late. In some configurations, there is an unprotected RET instruction | which can be attacked with a variety of speculative attacks. CVE-2022-42332[1]: | x86 shadow plus log-dirty mode use-after-free In environments where | host assisted address translation is necessary but Hardware Assisted | Paging (HAP) is unavailable, Xen will run guests in so called shadow | mode. Shadow mode maintains a pool of memory used for both shadow page | tables as well as auxiliary data structures. To migrate or snapshot | guests, Xen additionally runs them in so called log-dirty mode. The | data structures needed by the log-dirty tracking are part of | aformentioned auxiliary data. In order to keep error handling efforts | within reasonable bounds, for operations which may require memory | allocations shadow mode logic ensures up front that enough memory is | available for the worst case requirements. Unfortunately, while page | table memory is properly accounted for on the code path requiring the | potential establishing of new shadows, demands by the log-dirty | infrastructure were not taken into consideration. As a result, just | established shadow page tables could be freed again immediately, while | other code is still accessing them on the assumption that they would | remain allocated. CVE-2022-42333[2]: | x86/HVM pinned cache attributes mis-handling T[his CNA information | record relates to multiple CVEs; the text explains which | aspects/vulnerabilities correspond to which CVE.] To allow cachability | control for HVM guests with passed through devices, an interface | exists to explicitly override defaults which would otherwise be put in | place. While not exposed to the affected guests themselves, the | interface specifically exists for domains controlling such guests. | This interface may therefore be used by not fully privileged entities, | e.g. qemu running deprivileged in Dom0 or qemu running in a so called | stub-domain. With this exposure it is an issue that - the number of | the such controlled regions was unbounded (CVE-2022-42333), - | installation and removal of such regions was not properly serialized | (CVE-2022-42334). CVE-2022-42334[3]: | x86/HVM pinned cache attributes mis-handling T[his CNA information | record relates to multiple CVEs; the text explains which | aspects/vulnerabilities correspond to which CVE.] To allow cachability | control for HVM guests with passed through devices, an interface | exists to explicitly override defaults which would otherwise be put in | place. While not exposed to the affected guests themselves, the | interface specifically exists for domains controlling such guests. | This interface may therefore be used by not fully privileged entities, | e.g. qemu running deprivileged in Dom0 or qemu running in a so called | stub-domain. With this exposure it is an issue that - the number of | the such controlled regions was unbounded (CVE-2022-42333), - | installation and removal of such regions was not properly serialized | (CVE-2022-42334). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-42331 https://www.cve.org/CVERecord?id=CVE-2022-42331 [1] https://security-tracker.debian.org/tracker/CVE-2022-42332 https://www.cve.org/CVERecord?id=CVE-2022-42332 [2] https://security-tracker.debian.org/tracker/CVE-2022-42333 https://www.cve.org/CVERecord?id=CVE-2022-42333 [3] https://security-tracker.debian.org/tracker/CVE-2022-42334 https://www.cve.org/CVERecord?id=CVE-2022-42334 Please adjust the affected versions in the BTS as needed. Regards, Salvatore