Bug 1217621 (CVE-2023-46837)

Summary: VUL-0: CVE-2023-46837: xen: arm32: The cache may not be properly cleaned/invalidated (take two) (XSA-447)
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/386392/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 2 Thomas Leroy 2023-11-29 08:15:54 UTC 
Affecting arm32 only so I guess we're not affected
Comment 3 Charles Arnold 2023-11-29 12:41:54 UTC 
(In reply to Thomas Leroy from comment #2)
> Affecting arm32 only so I guess we're not affected

Correct. There is nothing we need to do for this bug so it may be closed.
Comment 4 Gianluca Gabrielli 2023-12-12 13:26:55 UTC 
public
------

ISSUE DESCRIPTION
=================

Arm provides multiple helpers to clean & invalidate the cache
for a given region.  This is, for instance, used when allocating
guest memory to ensure any writes (such as the ones during scrubbing)
have reached memory before handing over the page to a guest.

Unfortunately, the arithmetics in the helpers can overflow and would
then result to skip the cache cleaning/invalidation.  Therefore there
is no guarantee when all the writes will reach the memory.

This undefined behavior was meant to be addressed by XSA-437, but the
approach was not sufficient.

IMPACT
======

A malicious guest may be able to read sensitive data from memory that
previously belonged to another guest.

VULNERABLE SYSTEMS
==================

Systems running all version of Xen are affected.

Only systems running Xen on Arm 32-bit are vulnerable.  Xen on Arm 64-bit
is not affected.

MITIGATION
==========

There is no known mitigation.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa447/xsa447.patch           xen-unstable - Xen 4.17.x
xsa447/xsa447-4.16.patch      Xen 4.16.x - Xen 4.15.x

$ sha256sum xsa447* xsa447*/*
639f3a30124fd0f45b6b68768c02a5b5aa2e78c6c1f28bbf1ea5fb9be1f874af  xsa447.meta
e6d20002e3b71baf203b85fb6a9e02ba975f0d5ef4f4c754da8c5e381a509056  xsa447/xsa447.patch
4aee345081107a3ebe051938ed6b5168f32a9a4b0e4de5c7d99cf718fa36972f  xsa447/xsa447-4.16.patch
Comment 5 Carlos López 2024-05-28 11:52:54 UTC 
Done, closing.