Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1nSHSz-0001kJ-R6@xenbits.xenproject.org>
Date: Thu, 10 Mar 2022 12:00:25 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 396 v3 (CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042)
 - Linux PV device frontends vulnerable to attacks by backends

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 Xen Security Advisory CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042 / XSA-396
                                                                 version 3

      Linux PV device frontends vulnerable to attacks by backends

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Several Linux PV device frontends are using the grant table interfaces
for removing access rights of the backends in ways being subject to
race conditions, resulting in potential data leaks, data corruption
by malicious backends, and denial of service triggered by malicious
backends:

blkfront, netfront, scsifront and the gntalloc driver are testing
whether a grant reference is still in use. If this is not the case,
they assume that a following removal of the granted access will always
succeed, which is not true in case the backend has mapped the granted
page between those two operations. As a result the backend can keep
access to the memory page of the guest no matter how the page will be
used after the frontend I/O has finished. The xenbus driver has a
similar problem, as it doesn't check the success of removing the
granted access of a shared ring buffer.
blkfront: CVE-2022-23036
netfront: CVE-2022-23037
scsifront: CVE-2022-23038
gntalloc: CVE-2022-23039
xenbus: CVE-2022-23040

blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront,
and pvcalls are using a functionality to delay freeing a grant reference
until it is no longer in use, but the freeing of the related data page
is not synchronized with dropping the granted access. As a result the
backend can keep access to the memory page even after it has been freed
and then re-used for a different purpose.
CVE-2022-23041


netfront will fail a BUG_ON() assertion if it fails to revoke access in
the rx path. This will result in a Denial of Service (DoS) situation of
the guest which can be triggered by the backend.
CVE-2022-23042

IMPACT
======

Due to race conditions and missing tests of return codes in the Linux
PV device frontend drivers a malicious backend could gain access (read
and write) to memory pages it shouldn't have, or it could directly
trigger Denial of Service (DoS) in the guest.

VULNERABLE SYSTEMS
==================

All Linux guests using PV devices are vulnerable in case potentially
malicious PV device backends are being used.

MITIGATION
==========

There is no mitigation available other than not using PV devices in case
a backend is suspected to be potentially malicious.

RESOLUTION
==========

Applying the attached patches resolves this issue.

xsa396-linux-*.patch   Linux upstream

$ sha256sum xsa396*
d21d2d2c499d8e7c1cbc347d9df118b27af7d7c9ca5c104fcf1fef022ba6b92d  xsa396-linux-01.patch
c150c7873497b4d9807fcfe2a4a4831b033597db3d4c3dfaada1e647db1395fa  xsa396-linux-02.patch
6439ac16b6d6b29d6773d00895776a7392a321caa01f569062c4140d3d66167c  xsa396-linux-03.patch
2cc0b472514be47690ef257ab8d296bbec1827d18f98e1f1bbbfea53aafec78c  xsa396-linux-04.patch
cd6b6e65fe9915f98b04363bf1f22ddbd7c448215d52858ad1a2318bb1f034c8  xsa396-linux-05.patch
353e4de564897ad07120b17aa7a6a22b90fba6e65f39c20fe561ba06405656f3  xsa396-linux-06.patch
bf923c3bc92a908215d5ade016d27f56d1e445da88b04e1e1d4530ea5b139be3  xsa396-linux-07.patch
0a306ed20e4259e2a3583bfab14672a245bd33b24e95e5df8bfc30a25f7e18c6  xsa396-linux-08.patch
130b8305ba8c10e2942553078b845899ef79c5570692a499569a526b1e39d4fe  xsa396-linux-09.patch
1f70bdc0a5c1ff1b538d8cbec17e99af5888669f3a33ad8a02d2026719ad4bc9  xsa396-linux-10.patch
48fd782c6b0b705ccb59885d0e1562873f44478ea87f705f08ce18336bc19257  xsa396-linux-11.patch
d720350d36f7434e2cad1cb0ae0ed48776ad870a7b1e61cdd08d80fb4a787d59  xsa396-linux-12.patch
$

CREDITS
=======

This issue was discovered by Demi Marie Obenour and Simon Gaiser of
Invisible Things Lab.

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except where
all the affected VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because the patches need to be applied in the affected guests.
Switching from PV to non-PV devices is observable by the guests and has
usually a bad performance impact.

Deployment is permitted only AFTER the embargo ends.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmIp2PYMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZKEAIAKS8IFrluU7bw2k0ll8LfDdwI1skWPzEW++bsEjl
G3eS2bIzOsI/HO5j8HKkxu7N/bPZF8U82+yrDtBYk7y1E8YnqoSyUB4Lc3Bv71gQ
6MVaLasbY5GrfUdK5lZyoepjudiPa+1/dOO7W3ZOJm7eLq0dTnTuR7vkyqEKQ2vY
tYC+ubssufuo1FevGANuh2XZe6GUY9hqpBpyVwqArbUVicKC1RhKfBDYyZpSXd/W
BIzwTZdWQlRIvu4TyPQTdFRjGH4gVf8roquHXDTJUHtItxomltq7irGdw/89y7EM
8abL+ZlUYHCb03RCT6ccTmExyVDrJ3h1JmWrqnIXpvApyAU=
=b5Zc
-----END PGP SIGNATURE-----

Download attachment "xsa396-linux-01.patch" of type "application/octet-stream" (2607 bytes)

Download attachment "xsa396-linux-02.patch" of type "application/octet-stream" (3058 bytes)

Download attachment "xsa396-linux-03.patch" of type "application/octet-stream" (6890 bytes)

Download attachment "xsa396-linux-04.patch" of type "application/octet-stream" (1763 bytes)

Download attachment "xsa396-linux-05.patch" of type "application/octet-stream" (1566 bytes)

Download attachment "xsa396-linux-06.patch" of type "application/octet-stream" (2470 bytes)

Download attachment "xsa396-linux-07.patch" of type "application/octet-stream" (3260 bytes)

Download attachment "xsa396-linux-08.patch" of type "application/octet-stream" (3705 bytes)

Download attachment "xsa396-linux-09.patch" of type "application/octet-stream" (2607 bytes)

Download attachment "xsa396-linux-10.patch" of type "application/octet-stream" (1589 bytes)

Download attachment "xsa396-linux-11.patch" of type "application/octet-stream" (5224 bytes)

Download attachment "xsa396-linux-12.patch" of type "application/octet-stream" (4268 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.