Bug 1196488 (CVE-2022-23036)

Summary: VUL-0: CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: xen: Linux PV device frontends vulnerable to attacks by backends (XSA-396)
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Holger Hetterich <hhetter>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carnold, cathy.hu, gabriele.sonnu, gianluca.gabrielli, kernel-bugs, meissner, ptesarik, rfrohl, stoyan.manolov, xen-bugs
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/324768/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-23036:7.5:(AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2022-23037:7.5:(AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2022-23038:7.5:(AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2022-23039:7.5:(AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2022-23040:7.5:(AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2022-23041:7.5:(AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) CVSSv3.1:SUSE:CVE-2022-23042:7.5:(AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1199141    
Attachments: Attached patches
SLE11-SP4 backports

Description Carlos López 2022-02-25 10:07:36 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-396

      Linux PV device frontends vulnerable to attacks by backends

              *** EMBARGOED UNTIL 2022-03-10 12:00 UTC ***

ISSUE DESCRIPTION
=================

Several Linux PV device frontends are using the grant table interfaces
for removing access rights of the backends in ways being subject to
race conditions, resulting in potential data leaks, data corruption
by malicious backends, and denial of service triggered by malicious
backends:

blkfront, netfront, scsifront, usbfront and the gntalloc driver are
testing whether a grant reference is still in use. If this is not the
case, they assume that a following removal of the granted access will
always succeed, which is not true in case the backend has mapped the
granted page between those two operations. As a result the backend can
keep access to the memory page of the guest no matter how the page will
be used after the frontend I/O has finished. The xenbus driver has a
similar problem, as it doesn't check the success of removing the granted
access of a shared ring buffer.

blkfront, netfront, scsifront, dmabuf, xenbus, 9p, kbdfront, and pvcalls
are using a functionality to delay freeing a grant reference until it is
no longer in use, but the are freeing of the related data page is not
synchronized with dropping the granted access. As a result the backend
can keep access to the memory page even after it has been freed and then
re-used for a different purpose.

netfront will fail a BUG_ON() assertion if it fails to revoke access in
the rx path. This will result in a Denial of Service (DoS) situation of
the guest which can be triggered by the backend.

IMPACT
======

Due to race conditions and missing tests of return codes in the Linux
PV device frontend drivers a malicious backend could gain access (read
and write) to memory pages it shouldn't have, or it could directly
trigger Denial of Service (DoS) in the guest.

VULNERABLE SYSTEMS
==================

All Linux guests using PV devices are vulnerable in case potentially
malicious PV device backends are being used.

MITIGATION
==========

There is no mitigation available other than not using PV devices in case
a backend is suspected to be potentially malicious.

RESOLUTION
==========

Applying the attached patches resolves this issue.

xsa396-linux-*.patch   Linux upstream

$ sha256sum xsa396*
61aae811399c254779f31bad0a53c0250279256a63ec0f5140a83be41eb009ce  xsa396-linux-01.patch
db6cc57a15b0ec2cd1cba98a47d822db5b5be3dffd20db36f092d25eb40ca39e  xsa396-linux-02.patch
8f69d148a35856b551affd1f315d9a7095a3c1349bfab546d1ed3fc4b3aa912b  xsa396-linux-03.patch
9bc3c7f0fce2d468cf95c0c14065a44880bde0de9b7570ee86f66f08e1b7321d  xsa396-linux-04.patch
a47fb5f16db0227f7a08061d8a83be2b6d2d347ba539be3468d4e90db66018e1  xsa396-linux-05.patch
dd0153e912678f6d535b3e4db63cb4c778b6847020cec3768dd86ccba0f85a30  xsa396-linux-06.patch
4f60486e663a948d2e57c1b51088fb2430b9d7e7e6bd60ac67ff98175da0316b  xsa396-linux-07.patch
7db9334e1fd752a95d46153e2b3d41c1998f52c60c156bdf7abd72a8123fe76e  xsa396-linux-08.patch
6fd9695d0ac7799da359405dda7e1bfa32ff341dcd2e8973c653fd1d49f5e54f  xsa396-linux-09.patch
01f2578298d8d53a44a4b9110172f55562f79843ca5d94905db24cfb1a516916  xsa396-linux-10.patch
82623eedfb450e3fa39bd1a0f039abe41ce3834b52993399d2c83797b5ffaab9  xsa396-linux-11.patch
ea9a17ed4720ae5de46468ef9f951d44d3e6e5b49211bb063a32044b5260aab6  xsa396-linux-12.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except where
all the affected VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because the patches need to be applied in the affected guests.
Switching from PV to non-PV devices is observable by the guests and has
usually a bad performance impact.

Deployment is permitted only AFTER the embargo ends.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmIYoncMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZY6oH/0yUC97839dSCtjpnaznq5SQnFEQHq3kICKPCC8e
fpp/okMmnAX/e74ym6SE6J0tdiPd5MG9tTZie3GmiK1j2fUqAs7iLWuUTCun+bj0
zwO2PnietVVV/GD0I2jipPOwgw5WDlNN/7VJInlORUGH1OZjlAxHPFGjaezN+9YG
rl5/f3qKhRYhXYfW8KtpPBClnPa9jsM3vi/gX/u6cQo0tEp3TspVmyuDuqluWXYU
9SeZVvm/ALQEPwGTM5y04Jr4rw9jKR1uCEZbOBXbzt2IzpsuTvjXPiO6gNqOT725
S9PUxAQWnQFtGt5EaSCpdtMtbsg61rjDIenl3J7quGKcojo=
=ws9i
-----END PGP SIGNATURE-----
Comment 3 Carlos López 2022-02-25 10:17:12 UTC 
Created attachment 856569 [details]
Attached patches
Comment 5 Jürgen Groß 2022-02-25 15:38:51 UTC 
I'm handling it, like all Xen related kernel stuff.
Comment 6 Carlos López 2022-02-25 15:52:14 UTC 
Unless I'm missing something, it looks like all kernel branches are affected, since gnttab_query_foreign_access() is misused across all branches. Tracking as such.
Comment 7 Jürgen Groß 2022-02-25 16:04:54 UTC 
Yes, all kernels are affected.
Comment 8 Carlos López 2022-03-07 11:59:18 UTC 
CVEs assigned:
blkfront: CVE-2022-23036
netfront: CVE-2022-23037
scsifront: CVE-2022-23038
gntalloc: CVE-2022-23039
xenbus: CVE-2022-23040
Comment 9 Jürgen Groß 2022-03-07 13:25:34 UTC 
(In reply to Carlos López from comment #8)
> CVEs assigned:
> blkfront: CVE-2022-23036
> netfront: CVE-2022-23037
> scsifront: CVE-2022-23038
> gntalloc: CVE-2022-23039
> xenbus: CVE-2022-23040

And 2 more:

CVE-2022-23041 (fix in xenbus with prerequisite patches in multiple frontends)
CVE-2022-23042 (netfront only)

BTW, as the issues are relevant for disaggregated setups of Xen hosts only (usage of driver domains), which AFAIK none of our customers is using, I'm planning to submit the patches after they have been added upstream. Linus is already informed and he has agreed to do so before the final 5.17 release. Please speak up if I should use early EMBARGO branch submissions instead.
Comment 10 Carlos López 2022-03-10 12:02:59 UTC 
Public:
https://xenbits.xen.org/xsa/advisory-396.html
Comment 18 Swamp Workflow Management 2022-03-30 13:21:44 UTC 
SUSE-SU-2022:1039-1: An update that solves 22 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193731,1193787,1193864,1194463,1194516,1194943,1195051,1195211,1195254,1195353,1195403,1195612,1195897,1195905,1195939,1195949,1195987,1196079,1196095,1196130,1196132,1196155,1196299,1196301,1196433,1196468,1196472,1196488,1196627,1196723,1196779,1196830,1196836,1196866,1196868,1196956,1196959
CVE References: CVE-2021-0920,CVE-2021-39657,CVE-2021-39698,CVE-2021-44879,CVE-2021-45402,CVE-2022-0487,CVE-2022-0617,CVE-2022-0644,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490,CVE-2022-26966
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.60.4, kernel-preempt-5.3.18-150300.59.60.4
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.60.4, kernel-livepatch-SLE15-SP3_Update_16-1-150300.7.5.3
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.60.4
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.60.4, kernel-obs-build-5.3.18-150300.59.60.4, kernel-preempt-5.3.18-150300.59.60.4, kernel-source-5.3.18-150300.59.60.4, kernel-syms-5.3.18-150300.59.60.4
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.60.4, kernel-default-5.3.18-150300.59.60.4, kernel-default-base-5.3.18-150300.59.60.4.150300.18.37.5, kernel-preempt-5.3.18-150300.59.60.4, kernel-source-5.3.18-150300.59.60.4, kernel-zfcpdump-5.3.18-150300.59.60.4
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.60.4, kernel-default-base-5.3.18-150300.59.60.4.150300.18.37.5
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.60.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2022-03-30 13:26:16 UTC 
SUSE-SU-2022:1038-1: An update that solves 24 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193787,1194516,1194943,1195051,1195211,1195353,1195403,1195516,1195612,1195897,1195908,1195947,1195949,1195987,1196079,1196095,1196130,1196155,1196299,1196301,1196403,1196468,1196472,1196488,1196627,1196723,1196776,1196779,1196830,1196866,1196868,1197300,922815,998635
CVE References: CVE-2021-0920,CVE-2021-39698,CVE-2021-44879,CVE-2021-45402,CVE-2022-0487,CVE-2022-0492,CVE-2022-0516,CVE-2022-0617,CVE-2022-0644,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490,CVE-2022-26966,CVE-2022-27223
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.82.1, kernel-rt_debug-5.3.18-150300.82.1, kernel-source-rt-5.3.18-150300.82.1, kernel-syms-rt-5.3.18-150300.82.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.82.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2022-03-30 13:32:33 UTC 
openSUSE-SU-2022:1039-1: An update that solves 22 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193731,1193787,1193864,1194463,1194516,1194943,1195051,1195211,1195254,1195353,1195403,1195612,1195897,1195905,1195939,1195949,1195987,1196079,1196095,1196130,1196132,1196155,1196299,1196301,1196433,1196468,1196472,1196488,1196627,1196723,1196779,1196830,1196836,1196866,1196868,1196956,1196959
CVE References: CVE-2021-0920,CVE-2021-39657,CVE-2021-39698,CVE-2021-44879,CVE-2021-45402,CVE-2022-0487,CVE-2022-0617,CVE-2022-0644,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490,CVE-2022-26966
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.60.4, kernel-preempt-5.3.18-150300.59.60.4
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.60.4, kernel-64kb-5.3.18-150300.59.60.4, kernel-debug-5.3.18-150300.59.60.4, kernel-default-5.3.18-150300.59.60.4, kernel-default-base-5.3.18-150300.59.60.4.150300.18.37.5, kernel-docs-5.3.18-150300.59.60.4, kernel-kvmsmall-5.3.18-150300.59.60.4, kernel-obs-build-5.3.18-150300.59.60.4, kernel-obs-qa-5.3.18-150300.59.60.4, kernel-preempt-5.3.18-150300.59.60.4, kernel-source-5.3.18-150300.59.60.4, kernel-syms-5.3.18-150300.59.60.4, kernel-zfcpdump-5.3.18-150300.59.60.4
Comment 38 Swamp Workflow Management 2022-04-12 16:25:37 UTC 
SUSE-SU-2022:1163-1: An update that solves 25 vulnerabilities and has 33 fixes is now available.

Category: security (important)
Bug References: 1065729,1156395,1175667,1177028,1178134,1179639,1180153,1189562,1194589,1194625,1194649,1194943,1195051,1195353,1195640,1195926,1196018,1196130,1196196,1196478,1196488,1196761,1196823,1196956,1197227,1197243,1197245,1197300,1197302,1197331,1197343,1197366,1197389,1197460,1197462,1197501,1197534,1197661,1197675,1197677,1197702,1197811,1197812,1197815,1197817,1197819,1197820,1197888,1197889,1197894,1198027,1198028,1198029,1198030,1198031,1198032,1198033,1198077
CVE References: CVE-2021-39698,CVE-2021-45402,CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1011,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-1195,CVE-2022-1198,CVE-2022-1199,CVE-2022-1205,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-27223,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.53.1, kernel-source-azure-5.3.18-150300.38.53.1, kernel-syms-azure-5.3.18-150300.38.53.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.53.1, kernel-source-azure-5.3.18-150300.38.53.1, kernel-syms-azure-5.3.18-150300.38.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 39 Swamp Workflow Management 2022-04-14 10:22:44 UTC 
SUSE-SU-2022:1196-1: An update that solves 22 vulnerabilities, contains three features and has 39 fixes is now available.

Category: security (important)
Bug References: 1065729,1114648,1180153,1184207,1189562,1191428,1191451,1191580,1192273,1193738,1194163,1194541,1194580,1194586,1194590,1194591,1194943,1195051,1195353,1195403,1195480,1195482,1196018,1196114,1196339,1196367,1196468,1196478,1196488,1196514,1196639,1196657,1196723,1196761,1196830,1196836,1196901,1196942,1196973,1196999,1197099,1197227,1197331,1197366,1197462,1197531,1197661,1197675,1197754,1197755,1197756,1197757,1197758,1197760,1197763,1197806,1197894,1197914,1198031,1198032,1198033
CVE References: CVE-2021-39713,CVE-2021-45868,CVE-2022-0001,CVE-2022-0002,CVE-2022-0812,CVE-2022-0850,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-23960,CVE-2022-26490,CVE-2022-26966,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: SLE-15288,SLE-18234,SLE-24125
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    kernel-default-4.12.14-122.116.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    kernel-docs-4.12.14-122.116.1, kernel-obs-build-4.12.14-122.116.1
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-default-4.12.14-122.116.1, kernel-source-4.12.14-122.116.1, kernel-syms-4.12.14-122.116.1
SUSE Linux Enterprise Live Patching 12-SP5 (src):    kernel-default-4.12.14-122.116.1, kgraft-patch-SLE12-SP5_Update_30-1-8.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    kernel-default-4.12.14-122.116.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 40 Swamp Workflow Management 2022-04-14 13:21:39 UTC 
SUSE-SU-2022:1197-1: An update that solves 21 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1179639,1189562,1193731,1194943,1195051,1195254,1195353,1195403,1195939,1196018,1196196,1196468,1196488,1196761,1196823,1196830,1196836,1196956,1197227,1197331,1197366,1197389,1197462,1197702,1197914,1198031,1198032,1198033
CVE References: CVE-2021-0920,CVE-2021-39698,CVE-2021-45868,CVE-2022-0850,CVE-2022-0854,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2, kernel-docs-5.3.18-150200.24.112.1, kernel-obs-build-5.3.18-150200.24.112.1, kernel-preempt-5.3.18-150200.24.112.1, kernel-source-5.3.18-150200.24.112.1, kernel-syms-5.3.18-150200.24.112.1
SUSE Manager Retail Branch Server 4.1 (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2, kernel-docs-5.3.18-150200.24.112.1, kernel-preempt-5.3.18-150200.24.112.1, kernel-source-5.3.18-150200.24.112.1, kernel-syms-5.3.18-150200.24.112.1
SUSE Manager Proxy 4.1 (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2, kernel-docs-5.3.18-150200.24.112.1, kernel-preempt-5.3.18-150200.24.112.1, kernel-source-5.3.18-150200.24.112.1, kernel-syms-5.3.18-150200.24.112.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2, kernel-docs-5.3.18-150200.24.112.1, kernel-obs-build-5.3.18-150200.24.112.1, kernel-preempt-5.3.18-150200.24.112.1, kernel-source-5.3.18-150200.24.112.1, kernel-syms-5.3.18-150200.24.112.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2, kernel-docs-5.3.18-150200.24.112.1, kernel-obs-build-5.3.18-150200.24.112.1, kernel-preempt-5.3.18-150200.24.112.1, kernel-source-5.3.18-150200.24.112.1, kernel-syms-5.3.18-150200.24.112.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2, kernel-docs-5.3.18-150200.24.112.1, kernel-preempt-5.3.18-150200.24.112.1, kernel-source-5.3.18-150200.24.112.1, kernel-syms-5.3.18-150200.24.112.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2, kernel-docs-5.3.18-150200.24.112.1, kernel-preempt-5.3.18-150200.24.112.1, kernel-source-5.3.18-150200.24.112.1, kernel-syms-5.3.18-150200.24.112.1
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-150200.24.112.1, kernel-livepatch-SLE15-SP2_Update_26-1-150200.5.5.1
SUSE Linux Enterprise Micro 5.0 (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2, kernel-docs-5.3.18-150200.24.112.1, kernel-obs-build-5.3.18-150200.24.112.1, kernel-preempt-5.3.18-150200.24.112.1, kernel-source-5.3.18-150200.24.112.1, kernel-syms-5.3.18-150200.24.112.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2, kernel-docs-5.3.18-150200.24.112.1, kernel-obs-build-5.3.18-150200.24.112.1, kernel-preempt-5.3.18-150200.24.112.1, kernel-source-5.3.18-150200.24.112.1, kernel-syms-5.3.18-150200.24.112.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-150200.24.112.1
SUSE Enterprise Storage 7 (src):    kernel-default-5.3.18-150200.24.112.1, kernel-default-base-5.3.18-150200.24.112.1.150200.9.52.2, kernel-docs-5.3.18-150200.24.112.1, kernel-obs-build-5.3.18-150200.24.112.1, kernel-preempt-5.3.18-150200.24.112.1, kernel-source-5.3.18-150200.24.112.1, kernel-syms-5.3.18-150200.24.112.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Swamp Workflow Management 2022-04-19 13:24:38 UTC 
SUSE-SU-2022:1257-1: An update that solves 33 vulnerabilities, contains one feature and has 9 fixes is now available.

Category: security (important)
Bug References: 1179639,1189126,1189562,1193731,1194516,1194943,1195051,1195254,1195286,1195353,1195403,1195516,1195543,1195612,1195897,1195905,1195939,1195987,1196018,1196079,1196095,1196155,1196196,1196235,1196468,1196488,1196612,1196761,1196776,1196823,1196830,1196836,1196956,1197227,1197331,1197366,1197389,1197462,1197702,1198031,1198032,1198033
CVE References: CVE-2021-0920,CVE-2021-39698,CVE-2021-44879,CVE-2021-45868,CVE-2022-0487,CVE-2022-0492,CVE-2022-0516,CVE-2022-0617,CVE-2022-0644,CVE-2022-0850,CVE-2022-0854,CVE-2022-1016,CVE-2022-1048,CVE-2022-1055,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25375,CVE-2022-26490,CVE-2022-26966,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390,CVE-2022-28748
JIRA References: SLE-23652
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP2 (src):    kernel-rt-5.3.18-150200.79.2, kernel-rt_debug-5.3.18-150200.79.2, kernel-source-rt-5.3.18-150200.79.2, kernel-syms-rt-5.3.18-150200.79.1
SUSE Linux Enterprise Micro 5.0 (src):    kernel-rt-5.3.18-150200.79.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 42 Swamp Workflow Management 2022-04-19 13:29:25 UTC 
SUSE-SU-2022:1255-1: An update that solves 20 vulnerabilities, contains one feature and has three fixes is now available.

Category: security (important)
Bug References: 1189562,1194943,1195051,1195353,1196018,1196114,1196468,1196488,1196514,1196639,1196761,1196830,1196836,1196942,1196973,1197131,1197227,1197331,1197366,1197391,1198031,1198032,1198033
CVE References: CVE-2021-39713,CVE-2021-45868,CVE-2022-0812,CVE-2022-0850,CVE-2022-0886,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966,CVE-2022-28356,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: SLE-18234
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    kernel-default-4.12.14-150000.150.89.1, kernel-docs-4.12.14-150000.150.89.1, kernel-obs-build-4.12.14-150000.150.89.1, kernel-source-4.12.14-150000.150.89.1, kernel-syms-4.12.14-150000.150.89.1, kernel-vanilla-4.12.14-150000.150.89.1
SUSE Linux Enterprise Server 15-LTSS (src):    kernel-default-4.12.14-150000.150.89.1, kernel-docs-4.12.14-150000.150.89.1, kernel-obs-build-4.12.14-150000.150.89.1, kernel-source-4.12.14-150000.150.89.1, kernel-syms-4.12.14-150000.150.89.1, kernel-vanilla-4.12.14-150000.150.89.1, kernel-zfcpdump-4.12.14-150000.150.89.1
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-150000.150.89.1, kernel-livepatch-SLE15_Update_29-1-150000.1.3.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    kernel-default-4.12.14-150000.150.89.1, kernel-docs-4.12.14-150000.150.89.1, kernel-obs-build-4.12.14-150000.150.89.1, kernel-source-4.12.14-150000.150.89.1, kernel-syms-4.12.14-150000.150.89.1, kernel-vanilla-4.12.14-150000.150.89.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    kernel-default-4.12.14-150000.150.89.1, kernel-docs-4.12.14-150000.150.89.1, kernel-obs-build-4.12.14-150000.150.89.1, kernel-source-4.12.14-150000.150.89.1, kernel-syms-4.12.14-150000.150.89.1, kernel-vanilla-4.12.14-150000.150.89.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-150000.150.89.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 43 Swamp Workflow Management 2022-04-19 13:34:14 UTC 
SUSE-SU-2022:1256-1: An update that solves 19 vulnerabilities, contains two features and has 6 fixes is now available.

Category: security (important)
Bug References: 1189562,1193738,1194943,1195051,1195254,1195353,1196018,1196114,1196433,1196468,1196488,1196514,1196639,1196761,1196830,1196836,1196942,1196973,1197227,1197331,1197366,1197391,1198031,1198032,1198033
CVE References: CVE-2021-39713,CVE-2021-45868,CVE-2022-0812,CVE-2022-0850,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966,CVE-2022-28356,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: SLE-18234,SLE-23652
Sources used:
openSUSE Leap 15.4 (src):    kernel-debug-4.12.14-150100.197.111.1, kernel-default-4.12.14-150100.197.111.1, kernel-kvmsmall-4.12.14-150100.197.111.1, kernel-vanilla-4.12.14-150100.197.111.1, kernel-zfcpdump-4.12.14-150100.197.111.1
openSUSE Leap 15.3 (src):    kernel-debug-4.12.14-150100.197.111.1, kernel-default-4.12.14-150100.197.111.1, kernel-kvmsmall-4.12.14-150100.197.111.1, kernel-vanilla-4.12.14-150100.197.111.1, kernel-zfcpdump-4.12.14-150100.197.111.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    kernel-default-4.12.14-150100.197.111.1, kernel-docs-4.12.14-150100.197.111.1, kernel-obs-build-4.12.14-150100.197.111.1, kernel-source-4.12.14-150100.197.111.1, kernel-syms-4.12.14-150100.197.111.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    kernel-default-4.12.14-150100.197.111.1, kernel-docs-4.12.14-150100.197.111.1, kernel-obs-build-4.12.14-150100.197.111.1, kernel-source-4.12.14-150100.197.111.1, kernel-syms-4.12.14-150100.197.111.1, kernel-zfcpdump-4.12.14-150100.197.111.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    kernel-default-4.12.14-150100.197.111.1, kernel-docs-4.12.14-150100.197.111.1, kernel-obs-build-4.12.14-150100.197.111.1, kernel-source-4.12.14-150100.197.111.1, kernel-syms-4.12.14-150100.197.111.1
SUSE Linux Enterprise Module for Live Patching 15-SP1 (src):    kernel-default-4.12.14-150100.197.111.1, kernel-livepatch-SLE15-SP1_Update_30-1-150100.3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    kernel-default-4.12.14-150100.197.111.1, kernel-docs-4.12.14-150100.197.111.1, kernel-obs-build-4.12.14-150100.197.111.1, kernel-source-4.12.14-150100.197.111.1, kernel-syms-4.12.14-150100.197.111.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    kernel-default-4.12.14-150100.197.111.1, kernel-docs-4.12.14-150100.197.111.1, kernel-obs-build-4.12.14-150100.197.111.1, kernel-source-4.12.14-150100.197.111.1, kernel-syms-4.12.14-150100.197.111.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    kernel-default-4.12.14-150100.197.111.1
SUSE Enterprise Storage 6 (src):    kernel-default-4.12.14-150100.197.111.1, kernel-docs-4.12.14-150100.197.111.1, kernel-obs-build-4.12.14-150100.197.111.1, kernel-source-4.12.14-150100.197.111.1, kernel-syms-4.12.14-150100.197.111.1
SUSE CaaS Platform 4.0 (src):    kernel-default-4.12.14-150100.197.111.1, kernel-docs-4.12.14-150100.197.111.1, kernel-obs-build-4.12.14-150100.197.111.1, kernel-source-4.12.14-150100.197.111.1, kernel-syms-4.12.14-150100.197.111.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 44 Swamp Workflow Management 2022-04-19 16:28:41 UTC 
SUSE-SU-2022:1266-1: An update that solves 20 vulnerabilities, contains three features and has 38 fixes is now available.

Category: security (important)
Bug References: 1065729,1114648,1180153,1184207,1189562,1191428,1191451,1192273,1193738,1194163,1194541,1194580,1194586,1194590,1194591,1194943,1195051,1195353,1195403,1195480,1195482,1196018,1196114,1196339,1196367,1196468,1196478,1196488,1196514,1196639,1196723,1196761,1196830,1196836,1196942,1196973,1196999,1197099,1197227,1197331,1197366,1197391,1197462,1197531,1197661,1197675,1197754,1197755,1197756,1197757,1197758,1197760,1197763,1197806,1197894,1198031,1198032,1198033
CVE References: CVE-2021-39713,CVE-2021-45868,CVE-2022-0812,CVE-2022-0850,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966,CVE-2022-27666,CVE-2022-28356,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: SLE-15288,SLE-18234,SLE-24125
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-azure-4.12.14-16.94.1, kernel-source-azure-4.12.14-16.94.1, kernel-syms-azure-4.12.14-16.94.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 45 Swamp Workflow Management 2022-04-19 16:32:55 UTC 
SUSE-SU-2022:1267-1: An update that solves 20 vulnerabilities, contains one feature and has 7 fixes is now available.

Category: security (important)
Bug References: 1180153,1189562,1193738,1194943,1195051,1195353,1196018,1196114,1196468,1196488,1196514,1196573,1196639,1196761,1196830,1196836,1196942,1196973,1197211,1197227,1197331,1197366,1197391,1197462,1198031,1198032,1198033
CVE References: CVE-2021-39713,CVE-2021-45868,CVE-2022-0812,CVE-2022-0850,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966,CVE-2022-27666,CVE-2022-28356,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: SLE-18234
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    kernel-default-4.12.14-95.96.1, kernel-source-4.12.14-95.96.1, kernel-syms-4.12.14-95.96.1
SUSE OpenStack Cloud 9 (src):    kernel-default-4.12.14-95.96.1, kernel-source-4.12.14-95.96.1, kernel-syms-4.12.14-95.96.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    kernel-default-4.12.14-95.96.1, kernel-source-4.12.14-95.96.1, kernel-syms-4.12.14-95.96.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    kernel-default-4.12.14-95.96.1, kernel-source-4.12.14-95.96.1, kernel-syms-4.12.14-95.96.1
SUSE Linux Enterprise Live Patching 12-SP4 (src):    kernel-default-4.12.14-95.96.1, kgraft-patch-SLE12-SP4_Update_26-1-6.3.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    kernel-default-4.12.14-95.96.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 46 Swamp Workflow Management 2022-04-20 10:22:40 UTC 
SUSE-SU-2022:1270-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1189562,1196018,1196488,1196761,1196830,1196836,1197227,1197331,1197366
CVE References: CVE-2021-45868,CVE-2022-0850,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    kernel-default-4.4.180-94.161.1, kernel-source-4.4.180-94.161.1, kernel-syms-4.4.180-94.161.1, kgraft-patch-SLE12-SP3_Update_44-1-4.5.1
SUSE OpenStack Cloud 8 (src):    kernel-default-4.4.180-94.161.1, kernel-source-4.4.180-94.161.1, kernel-syms-4.4.180-94.161.1, kgraft-patch-SLE12-SP3_Update_44-1-4.5.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    kernel-default-4.4.180-94.161.1, kernel-source-4.4.180-94.161.1, kernel-syms-4.4.180-94.161.1, kgraft-patch-SLE12-SP3_Update_44-1-4.5.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    kernel-default-4.4.180-94.161.1, kernel-source-4.4.180-94.161.1, kernel-syms-4.4.180-94.161.1, kgraft-patch-SLE12-SP3_Update_44-1-4.5.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    kernel-default-4.4.180-94.161.1, kernel-source-4.4.180-94.161.1, kernel-syms-4.4.180-94.161.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.180-94.161.1
HPE Helion Openstack 8 (src):    kernel-default-4.4.180-94.161.1, kernel-source-4.4.180-94.161.1, kernel-syms-4.4.180-94.161.1, kgraft-patch-SLE12-SP3_Update_44-1-4.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 47 Swamp Workflow Management 2022-04-20 16:21:20 UTC 
SUSE-SU-2022:1283-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1189562,1196018,1196488,1196761,1196830,1196836,1197227,1197331,1197366
CVE References: CVE-2021-45868,CVE-2022-0850,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.172.1, kernel-source-4.4.121-92.172.1, kernel-syms-4.4.121-92.172.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 48 Swamp Workflow Management 2022-04-26 10:21:51 UTC 
SUSE-SU-2022:1402-1: An update that solves 20 vulnerabilities, contains three features and has 38 fixes is now available.

Category: security (important)
Bug References: 1065729,1114648,1180153,1184207,1189562,1191428,1191451,1192273,1193738,1194163,1194541,1194580,1194586,1194590,1194591,1194943,1195051,1195353,1195403,1195480,1195482,1196018,1196114,1196339,1196367,1196468,1196478,1196488,1196514,1196639,1196723,1196761,1196830,1196836,1196942,1196973,1196999,1197099,1197227,1197331,1197366,1197391,1197462,1197531,1197661,1197675,1197754,1197755,1197756,1197757,1197758,1197760,1197763,1197806,1197894,1198031,1198032,1198033
CVE References: CVE-2021-39713,CVE-2021-45868,CVE-2022-0812,CVE-2022-0850,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966,CVE-2022-27666,CVE-2022-28356,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: SLE-15288,SLE-18234,SLE-24125
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP5 (src):    kernel-rt-4.12.14-10.84.1, kernel-rt_debug-4.12.14-10.84.1, kernel-source-rt-4.12.14-10.84.1, kernel-syms-rt-4.12.14-10.84.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 49 Jürgen Groß 2022-05-03 08:09:47 UTC 
Assign back to security team, as all relevant kernel versions have been patched.
Comment 52 Jan Beulich 2022-05-25 12:31:42 UTC 
Created attachment 859217 [details]
SLE11-SP4 backports
Comment 53 Jan Beulich 2022-05-25 12:36:25 UTC 
SLE11-SP4 is the environment which I can halfway reasonably make backports for, including some _limited_ testing. Since I've never worked with the SP3-TD branch, since I've found a few Xen related things in there which I'm not familiar with, and since the SP4 patches are generally expected to go painlessly also on SP3, I'd like to ask the branch maintainers to do the actual integration on the branch. Hence the change of assignee. Thanks.

However, unlike for XSA-349, it should be considered thoroughly whether this issue actually needs addressing on this branch. In particular in the last patch I had to be "creative" to work around various shortcomings of the code base, so the risk of taking the patches may outweigh the benefits. Specifically I wonder whether TD indeed are working with affected configurations, i.e. ones where backends are running in not fully trusted environments (e.g. driver domains or de-privileged qemu).
Comment 54 Marcus Meissner 2022-06-13 11:41:45 UTC 
For Livepatching:


We discussed this internally and came to the conclusion that in the context of livepatching, the benefits don't not outweigh the risks of breaking things.

A key prerequisite of this vulnerability is malicious XEN driver backends, which, according to bug 1196488, comment 9 are "relevant for disaggregated setups of Xen hosts only (usage of driver domains), which AFAIK none of our customers is using".

Due to the constraints intrinsic to the livepatching consistency model, some rather involved workarounds would have to get implemented in a livepatch (technical details below).

With that, I don't think the benefits would outweigh the risks and I won't provide a livepatch for now. If you disagree, just add a comment here and I'll reconsider.


Technical details:
Upstream commit 42baefac638f ("xen/gnttab: fix gnttab_end_foreign_access() without page specified") depends on the granted pages being refcounted individually, which is not the case with allocations of higher order obtained by drivers via alloc_pages(). Thus, there are a couple of prerequisite patches converting drivers from alloc_pages()/free_pages() to alloc_pages_exact()/free_pages_exact(), e.g.
- abf1fd5919d6 ("xen/blkfront: don't use gnttab_query_foreign_access() for mapped status"),
- 5cadd4bb1d7f ("xen/9p: use alloc/free_pages_exact()"),
- b0576cc9c6b8 ("xen/pvcalls: use alloc/free_pages_exact()").
Note that it is not possible to free pages allocated with alloc_pages_exact() with free_pages() and vice-versa -- if attempted, things would go sideways.

The conversion from alloc_pages() to alloc_pages_exact() cannot be done from a livepatch: the allocations can (and like do) stem from before the livepatch has been applied (and there's also a symmetric issue with converts).

A possible workaround would be to make all (relevant) callers of gnttab_end_foreign_access() to split their respective alloc_pages() regions into individually refcounted pages via make_alloc_exact() before right the gnttab_end_foreign_access() invocations and to convert their subsequent free_pages() to free_pages_exact().