Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1oppwk-0005VB-Hi@xenbits.xenproject.org>
Date: Tue, 01 Nov 2022 12:00:46 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 418 v2 (CVE-2022-42321) - Xenstore: Guests
 can crash xenstored via exhausting the stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-42321 / XSA-418
                               version 2

      Xenstore: Guests can crash xenstored via exhausting the stack

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Xenstored is using recursion for some Xenstore operations (e.g. for
deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting
levels this can result in stack exhaustion on xenstored, leading to a
crash of xenstored.

IMPACT
======

A malicious guest creating very deep nesting levels of Xenstore nodes
might be able to crash xenstored, resulting in a Denial of Service (DoS)
of Xenstore.

This will inhibit creation of new guests or changing the configuration of
already running guests.

VULNERABLE SYSTEMS
==================

All versions of Xen are affected.

Only systems running the C variant of Xenstore (xenstored or xenstore-
stubdom) are vulnerable.

Systems using the Ocaml variant of Xenstore (oxenstored) are not vulnerable.

MITIGATION
==========

Running oxenstored instead of xenstored will avoid the vulnerability.

CREDITS
=======

This issue was discovered by David Vrabel of Amazon.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa418/xsa418-??.patch           xen-unstable
xsa418/xsa418-4.16-??.patch      Xen 4.16.x
xsa418/xsa418-4.15-??.patch      Xen 4.15.x
xsa418/xsa418-4.14-??.patch      Xen 4.14.x - 4.13.x

$ sha256sum xsa418* xsa418*/*
dba8cf354728d5b9248d9649d042835b2f5f96dd995d0fe23a07a157cba68500  xsa418.meta
d13f084bbca78d35b991fe5347297d13f77b4e49ad816344363a61a8335e6632  xsa418/xsa418-01.patch
ac9acb8cda844e3873ec0a77fb9bd58581d6f1084f8a38fa494bff548c9232ae  xsa418/xsa418-02.patch
bc29743d71eed3ba41d1ec732e5c0011107dcc06d945ec554ef04314e0272898  xsa418/xsa418-03.patch
bba67ab17c8c132258b0cfbc701e2b79ae6ea5ef507f4c09e103c19a9c729b03  xsa418/xsa418-4.14-01.patch
79eadfee1eeae340256331b5e189f1c8514106dae5ca208b0f4965ba6f6e9e51  xsa418/xsa418-4.14-02.patch
6a96c8636fc3c2a1539b9c21d3af4e0a68124dc4a7219c5eacd685f7d0543dd7  xsa418/xsa418-4.14-03.patch
fe4ad75c34ceba6427c6f2ea7ad86af4a25ba3f5f9dc42fdd4ef7bf4fa60d39d  xsa418/xsa418-4.14-04.patch
7884b7850d991d098409a3a9a27050f3d34486a3b459e0c2047d1dc43e13515f  xsa418/xsa418-4.14-05.patch
27c070655bf27a2ca84506703d76ab5b3c9fd22155a29af5c882013cd5580640  xsa418/xsa418-4.14-06.patch
313707f2b0738680015a38ec50d93f149c386c72c809cd17de8f52e2d883b8e0  xsa418/xsa418-4.15-01.patch
4628506b3f4407034b7c6e0159a6719225f6a4c70fe12b30375f515bb6ce5d93  xsa418/xsa418-4.15-02.patch
a59fed27d614de06a8d508da6345dda7260d2ac7ff9762372b34c4e6a5dfa432  xsa418/xsa418-4.15-03.patch
99ea45e5f877afe01af189ebfe3114edc8d3283829424adc53760d385b8a202e  xsa418/xsa418-4.15-04.patch
dd10d3c3af942fd941604029a5b5262ae6d8f7c7a9071b243904bc34c8d14ab2  xsa418/xsa418-4.15-05.patch
1a50edee9d3a04a982ba22bcf150475f396494c03b4b6eaf18b45561f0d005fc  xsa418/xsa418-4.15-06.patch
042cf55472e911b871a8062613b604e7a4641505bae4e6505a176b2976906739  xsa418/xsa418-4.15-07.patch
669e8fc1637b92846ad7b72eb510c05920b267bc54340e83b3f1c8df2092ecbc  xsa418/xsa418-4.16-01.patch
b382431343ab873d6ab88557b09891dc821a497200c1b61e7b64286bba899ea9  xsa418/xsa418-4.16-02.patch
27737bfa0d3e475ba0e468ab3dcf0274bde40948e5f669f179d2964f6cfab4cf  xsa418/xsa418-4.16-03.patch
5677156c12063d0cbad273d45800bb25176308ffd7b660d73aac3a36e4099055  xsa418/xsa418-4.16-04.patch
3c3b0282cbc50da485f6b7a871e0cc318725db2b3debf098b0fc6d0598488a48  xsa418/xsa418-4.16-05.patch
d871d0e38f6db4cc86591c63cb37c63aed9ed0ba88429236eb91d142090da529  xsa418/xsa418-4.16-06.patch
145a98f2540b5c17c7d262e1df80103c4478d622a4eeba07d1566679d81a4542  xsa418/xsa418-4.16-07.patch
70874f345806b376fea1b02b0ed4d493d792a43f5c6fc29c13e0658350086f92  xsa418/xsa418-04.patch
8d94a7c6e9e484569c6eb98f274fa7489e68a9f16d12092839bb519cfc32a7b3  xsa418/xsa418-05.patch
e5ecc6d3756a485114b57e0d02ff53d6eb3b312fac117a99c05bc392faa45d27  xsa418/xsa418-06.patch
77695fa2f1bfeee051d4a0e0d1e0b654f5177ce104a72635c2f1bafb1d6631cb  xsa418/xsa418-07.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNg+6sMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ0wAH/36wusPv68bogxxnnNwL6eFmZZ1Rd90mAMfw6Qyt
OYo3tOWhnZVVH3uC84S7s/zWsZWJaaWxTnGW03Gxnep3GstufnWnV0m/VsmXsI9L
/W0C23SgWxao+Bc819TRWF3JTcSb/wdbBbgHOJbu8gzLQc7T8xsgUeOr34fpAtZv
qr2fExhKrlxdWYodDJLdZryZRBQ1ZKbO+Rihpv23FKst4HhlQvCvWr99oK6/ubkp
2mzLjeotWxT2G+RnQNJp4JqgXaYr6972/Q5h75lCxQZWxw7baIS62gTaFfK8cD4p
j4gVo2zYtMBivUZngmTF36iRN743NAOz3HsvU1pEphbc24o=
=6SQq
-----END PGP SIGNATURE-----

Download attachment "xsa418.meta" of type "application/octet-stream" (1880 bytes)

Download attachment "xsa418/xsa418-01.patch" of type "application/octet-stream" (3637 bytes)

Download attachment "xsa418/xsa418-02.patch" of type "application/octet-stream" (3359 bytes)

Download attachment "xsa418/xsa418-03.patch" of type "application/octet-stream" (8041 bytes)

Download attachment "xsa418/xsa418-4.14-01.patch" of type "application/octet-stream" (4252 bytes)

Download attachment "xsa418/xsa418-4.14-02.patch" of type "application/octet-stream" (3359 bytes)

Download attachment "xsa418/xsa418-4.14-03.patch" of type "application/octet-stream" (7977 bytes)

Download attachment "xsa418/xsa418-4.14-04.patch" of type "application/octet-stream" (3191 bytes)

Download attachment "xsa418/xsa418-4.14-05.patch" of type "application/octet-stream" (4855 bytes)

Download attachment "xsa418/xsa418-4.14-06.patch" of type "application/octet-stream" (5077 bytes)

Download attachment "xsa418/xsa418-4.15-01.patch" of type "application/octet-stream" (3637 bytes)

Download attachment "xsa418/xsa418-4.15-02.patch" of type "application/octet-stream" (3359 bytes)

Download attachment "xsa418/xsa418-4.15-03.patch" of type "application/octet-stream" (8041 bytes)

Download attachment "xsa418/xsa418-4.15-04.patch" of type "application/octet-stream" (3280 bytes)

Download attachment "xsa418/xsa418-4.15-05.patch" of type "application/octet-stream" (4855 bytes)

Download attachment "xsa418/xsa418-4.15-06.patch" of type "application/octet-stream" (5077 bytes)

Download attachment "xsa418/xsa418-4.15-07.patch" of type "application/octet-stream" (7301 bytes)

Download attachment "xsa418/xsa418-4.16-01.patch" of type "application/octet-stream" (3637 bytes)

Download attachment "xsa418/xsa418-4.16-02.patch" of type "application/octet-stream" (3359 bytes)

Download attachment "xsa418/xsa418-4.16-03.patch" of type "application/octet-stream" (8041 bytes)

Download attachment "xsa418/xsa418-4.16-04.patch" of type "application/octet-stream" (3280 bytes)

Download attachment "xsa418/xsa418-4.16-05.patch" of type "application/octet-stream" (4855 bytes)

Download attachment "xsa418/xsa418-4.16-06.patch" of type "application/octet-stream" (5077 bytes)

Download attachment "xsa418/xsa418-4.16-07.patch" of type "application/octet-stream" (4801 bytes)

Download attachment "xsa418/xsa418-04.patch" of type "application/octet-stream" (3280 bytes)

Download attachment "xsa418/xsa418-05.patch" of type "application/octet-stream" (4851 bytes)

Download attachment "xsa418/xsa418-06.patch" of type "application/octet-stream" (5077 bytes)

Download attachment "xsa418/xsa418-07.patch" of type "application/octet-stream" (4801 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.