Bug 1194576 – VUL-0: CVE-2022-23033: xen: arm: guest_physmap_remove_page not removing the p2m mappings (XSA-393)

Bug 1194576 - (CVE-2022-23033) VUL-0: CVE-2022-23033: xen: arm: guest_physmap_remove_page not removing the p2m mappings (XSA-393)

(CVE-2022-23033)
Summary:	VUL-0: CVE-2022-23033: xen: arm: guest_physmap_remove_page not removing the p...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/320168/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-01-12 09:40 UTC by Thomas Leroy
Modified:	2022-02-17 14:26 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-01-12 09:40:06 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-23033 / XSA-393

     arm: guest_physmap_remove_page not removing the p2m mappings

              *** EMBARGOED UNTIL 2022-01-25 12:00 UTC ***

ISSUE DESCRIPTION
=================

The functions to remove one or more entries from a guest p2m pagetable
on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry
with mfn set to INVALID_MFN) do not actually clear the pagetable entry
if the entry doesn't have the valid bit set.  It is possible to have a
valid pagetable entry without the valid bit set when a guest operating
system uses set/way cache maintenance instructions.  For instance, a
guest issuing a set/way cache maintenance instruction, then calling the
XENMEM_decrease_reservation hypercall to give back memory pages to Xen,
might be able to retain access to those pages even after Xen started
reusing them for other purposes.

IMPACT
======

A malicious guest may be able to access Xen and other domains' memory.
This could cause information leaks, host or domain Denial of Service
(DoS), and privilege escalations.

VULNERABLE SYSTEMS
==================

Xen version 4.12 and newer are vulnerable.  Only Arm systems are
vulnerable.

x86 systems are not vulnerable.

MITIGATION
==========

There is no known mitigation.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa393.patch           xen-unstable - Xen 4.12.x

$ sha256sum xsa393*
ccd746687c6080ec00ba363477d8815bc648d957c21c47d3a5330be9251806a4  xsa393.meta
b7fcf5c14bbc3d306ac7f3a29f8f5faad860599553b9f6e8c7101e36cc6b01b9  xsa393.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmHdz8QMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZrIYIAIPhG+dozJWHl9RTDewH2h27vcBTI3qIiwf+QPig
rmIjBEGQWej7c8PFGeOApwsRulBJEPsV4uShOHCdLofcXdZT9Y/RJwT5P6Ez2TpK
BOiiWod0Ze2uTVQgMfvDGLhYuiXA3zrkjffp1jXW9YZgerdhL9ohr7umc6m9In8o
6vgdb43n3me5t2f4bLeB6FPTzcBl8Kols76vzgJFMw9DdLF6Uy2+7ZmkcyDMCva5
uotq0eRdfra/n2UDFwffM3atNhvnSlBikRJab7X7Q8NbGqDkQFJ3rIybpUa85OMS
PUyHzFad0kZTBY1jV3i5rgfk9x6uSVMDFhrNPpaLJERkYig=
=q3hW
-----END PGP SIGNATURE-----

Comment 5 Charles Arnold 2022-01-12 13:08:01 UTC

Xen is not supported on ARM.

Comment 8 Gianluca Gabrielli 2022-01-25 12:10:36 UTC

Public: https://xenbits.xen.org/xsa/advisory-393.html

Comment 10 Charles Arnold 2022-01-27 21:29:14 UTC

ARM is actually not supported with Xen but we do take the patches for the
convenience of backporting later fixes.
All versions of Xen since 4.12 (SLE12-SP5, SLE15-SP1 ->) are vulnerable.

Comment 11 Swamp Workflow Management 2022-02-04 14:18:42 UTC

SUSE-SU-2022:0333-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194576,1194581,1194588
CVE References: CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.3_06-150300.3.18.2
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.3_06-150300.3.18.2
SUSE Linux Enterprise Micro 5.1 (src):    xen-4.14.3_06-150300.3.18.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2022-02-04 14:25:16 UTC

openSUSE-SU-2022:0333-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194576,1194581,1194588
CVE References: CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xen-4.14.3_06-150300.3.18.2

Comment 13 Swamp Workflow Management 2022-02-17 14:19:35 UTC

SUSE-SU-2022:0467-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194576,1194581,1194588
CVE References: CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    xen-4.13.4_04-3.43.2
SUSE Manager Retail Branch Server 4.1 (src):    xen-4.13.4_04-3.43.2
SUSE Manager Proxy 4.1 (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise Micro 5.0 (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xen-4.13.4_04-3.43.2
SUSE Enterprise Storage 7 (src):    xen-4.13.4_04-3.43.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2022-02-17 14:23:09 UTC

SUSE-SU-2022:0469-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194576,1194581,1194588
CVE References: CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_18-3.58.2
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_18-3.58.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2022-02-17 14:26:19 UTC

SUSE-SU-2022:0468-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194576,1194581,1194588
CVE References: CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xen-4.12.4_18-3.60.2
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xen-4.12.4_18-3.60.2
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xen-4.12.4_18-3.60.2
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xen-4.12.4_18-3.60.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xen-4.12.4_18-3.60.2
SUSE Enterprise Storage 6 (src):    xen-4.12.4_18-3.60.2
SUSE CaaS Platform 4.0 (src):    xen-4.12.4_18-3.60.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.