Bug 1227355 (CVE-2024-31143)

Summary: VUL-0: CVE-2024-31143: xen: double unlock in x86 guest IRQ handling (XSA-458)
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: carnold, gianluca.gabrielli, jbeulich
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412806/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-31143:7.5:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Attached patch

Description Carlos López 2024-07-03 17:29:32 UTC 
Xen Security Advisory CVE-2024-31143 / XSA-458

                double unlock in x86 guest IRQ handling

              *** EMBARGOED UNTIL 2024-07-16 12:00 UTC ***

ISSUE DESCRIPTION
=================

An optional feature of PCI MSI called "Multiple Message" allows a
device to use multiple consecutive interrupt vectors.  Unlike for MSI-X,
the setting up of these consecutive vectors needs to happen all in one
go.  In this handling an error path could be taken in different
situations, with or without a particular lock held.  This error path
wrongly releases the lock even when it is not currently held.

IMPACT
======

Denial of Service (DoS) affecting the entire host, crashes, information
leaks, or elevation of privilege all cannot be ruled out.

VULNERABLE SYSTEMS
==================

Xen versions 4.4 and newer are vulnerable.  Xen versions 4.3 and older
are not vulnerable.

Only x86 guest which have a multi-vector MSI capable device passed
through to them can leverage the vulnerability.

MITIGATION
==========

Not passing through multi-vector MSI capable devices to x86 guests will
avoid the vulnerability.

RESOLUTION
==========

Applying the attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa458.patch           xen-unstable - Xen 4.16.x

$ sha256sum xsa458*
22dd1071755b1fd6b4ea3ce18a200f626ee796e77b7e7d93a3a5b33d2a896706  xsa458.patch
$
Comment 1 Carlos López 2024-07-03 17:30:36 UTC 
Created attachment 875856 [details]
Attached patch
Comment 6 Carlos López 2024-07-16 12:09:57 UTC 
Public:
https://xenbits.xen.org/xsa/advisory-458.html
Comment 7 OBSbugzilla Bot 2024-07-16 16:05:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1227355) was mentioned in
https://build.opensuse.org/request/show/1187952 Factory / xen
Comment 8 Charles Arnold 2024-07-16 16:25:43 UTC 
Fix is now submitted to all distros.
Comment 9 Maintenance Automation 2024-07-16 16:30:09 UTC 
SUSE-SU-2024:2535-1: An update that solves six vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1214083, 1221332, 1221334, 1221984, 1222302, 1222453, 1227355
CVE References: CVE-2023-28746, CVE-2023-46842, CVE-2024-2193, CVE-2024-2201, CVE-2024-31142, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:33138](https://smelt.suse.de/incident/33138/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 xen-4.13.5_12-150200.3.93.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 xen-4.13.5_12-150200.3.93.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 xen-4.13.5_12-150200.3.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-07-16 16:30:12 UTC 
SUSE-SU-2024:2534-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1027519, 1222453, 1227355
CVE References: CVE-2024-2201, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:34727](https://smelt.suse.de/incident/34727/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 xen-4.12.4_50-3.112.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 xen-4.12.4_50-3.112.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 xen-4.12.4_50-3.112.1
SUSE Linux Enterprise Server 12 SP5 (src):
 xen-4.12.4_50-3.112.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-07-16 16:30:15 UTC 
SUSE-SU-2024:2533-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222453, 1227355
CVE References: CVE-2024-2201, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:34726](https://smelt.suse.de/incident/34726/)
Sources used:
openSUSE Leap 15.3 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Enterprise Storage 7.1 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise Micro 5.1 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise Micro 5.2 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 xen-4.14.6_16-150300.3.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-07-16 16:30:18 UTC 
SUSE-SU-2024:2531-1: An update that solves two vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1027519, 1214718, 1221984, 1225953, 1227355
CVE References: CVE-2023-46842, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:34723](https://smelt.suse.de/incident/34723/)
Sources used:
Server Applications Module 15-SP6 (src):
 xen-4.18.2_06-150600.3.3.1
openSUSE Leap 15.6 (src):
 xen-4.18.2_06-150600.3.3.1
Basesystem Module 15-SP6 (src):
 xen-4.18.2_06-150600.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.