Bug 1194588 – VUL-0: CVE-2022-23035: xen: insufficient cleanup of passed-through device IRQs (XSA-395)

Bug 1194588 - (CVE-2022-23035) VUL-0: CVE-2022-23035: xen: insufficient cleanup of passed-through device IRQs (XSA-395)

(CVE-2022-23035)
Summary:	VUL-0: CVE-2022-23035: xen: insufficient cleanup of passed-through device IRQ...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/320173/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-23035:6.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-01-12 10:09 UTC by Thomas Leroy
Modified:	2022-02-17 14:26 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Updated patch subject (1.46 KB, patch) 2022-01-25 12:12 UTC, Carlos López	Details \| Diff
Updated patch subject, 4.14 (1.43 KB, patch) 2022-01-25 12:14 UTC, Carlos López	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-01-12 10:09:57 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-23035 / XSA-395

          Insufficient cleanup of passed-through device IRQs

              *** EMBARGOED UNTIL 2022-01-25 12:00 UTC ***

ISSUE DESCRIPTION
=================

The management of IRQs associated with physical devices exposed to x86
HVM guests involves an iterative operation in particular when cleaning
up after the guest's use of the device.  In the case where an interrupt
is not quiescent yet at the time this cleanup gets invoked, the cleanup
attempt may be scheduled to be retried.  When multiple interrupts are
involved, this scheduling of a retry may get erroneously skipped.  At
the same time pointers may get cleared (resulting in a de-reference of
NULL) and freed (resulting in a use-after-free), while other code would
continue to assume them to be valid.

IMPACT
======

The precise impact is system specific, but would typically be a Denial
of Service (DoS) affecting the entire host.  Privilege escalation and
information leaks cannot be ruled out.

VULNERABLE SYSTEMS
==================

Xen versions 4.6 and later are vulnerable.  Xen versions 4.5 and earlier
are not vulnerable.

Only x86 HVM guests with one or more passed-through physical devices
using (together) multiple physical interupts can leverage the
vulnerability.  x86 PV guests cannot leverage the vulnerability.  x86
HVM guests without passed-through devices or with a passed-through
device using just a single physical interrupt also cannot leverage the
vulnerability.  Device pass-through is unsupported for x86 PVH guests
and all Arm guests.

MITIGATION
==========

There is no mitigation (other than not passing through to x86 HVM guests
PCI devices with, overall, more than a single physical interrupt).

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa395.patch           xen-unstable - Xen 4.15.x
xsa395-4.14.patch      Xen 4.14.x - Xen 4.12.x

$ sha256sum xsa395*
f460be598b936bb5cfb9276787f2f21d90b029d1fe10dabd572ae50f84a1124d  xsa395.meta
5572a937cb2b6ab45784ec848564abe003f309cc0e2be0912cd6f5e5e9d36e48  xsa395.patch
2f8bcc953dbe85437802201c8e2c72c3b18cfb7c4777076794e259314ade627f  xsa395-4.14.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmHd0UQMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZBjgH/2ycdCgoR+O/MaP6i4q75QqwRIiWuRzIqp+rUb78
YN4vwMiYdAKJCJDjydnTTF2B3xGTOXIVBsvcVRjEVsSO4A9GpITDQOZxSiZKDRQe
rKdOuPGasviYvIZv8kaBy4ff0RBOTjCiTtGANa+FPwRvz4PBOx5iv4PWLYafMKsl
Fwtz5oyHb6DLE2AXBo8Z161wcTG1T8RPtyiHazfjr13qxENuJgyo01+R7I9Evcyz
yHeUVnmwEoDv+kpigaUpbmV708N7QgYRxTbz1IKpObq4jz17/IfrYt+sVwjP/wIm
BbfKuFDneR/tdqCjBBsMQhjkpo5lED1izhpOvZdWbp62T1I=
=gOk7
-----END PGP SIGNATURE-----

Comment 6 Carlos López 2022-01-12 14:53:40 UTC

Affected:
 - SUSE:SLE-12-SP2:Update
 - SUSE:SLE-12-SP3:Update
 - SUSE:SLE-12-SP4:Update
 - SUSE:SLE-12-SP5:Update
 - SUSE:SLE-15:Update
 - SUSE:SLE-15-SP1:Update
 - SUSE:SLE-15-SP2:Update
 - SUSE:SLE-15-SP3:Update
 - openSUSE:Factory

It seems that the problematic code is present in pci_clean_dpci_irqs, as pt_pirq_iterate is called with pci_clean_dpci_irq as a callback. Without the patch, pt_pirq_iterate might not return on failed executions of the callback.

Older codestreams ship versions that are below 4.5, which according to the advisory are not affected. On these codestreams the cleanup callback always returns 0, so the assessment matches.

Comment 9 Gianluca Gabrielli 2022-01-25 12:12:13 UTC

Public: https://xenbits.xen.org/xsa/advisory-395.html

Comment 10 Carlos López 2022-01-25 12:12:44 UTC

Created attachment 855574 [details]
Updated patch subject

Comment 11 Carlos López 2022-01-25 12:14:12 UTC

Created attachment 855575 [details]
Updated patch subject, 4.14

Comment 12 Carlos López 2022-01-25 12:21:15 UTC

(In reply to Carlos López from comment #6)
>  - SUSE:SLE-15-SP1:Update
>  - SUSE:SLE-15-SP2:Update
>  - SUSE:SLE-15-SP3:Update

SUSE:SLE-15-SP4 also affected.

Comment 15 Charles Arnold 2022-01-27 21:31:23 UTC

Xen versions 4.6 and later are vulnerable.
SLE12-SP2 contains 4.7, nothing earlier is needed.

Comment 16 Swamp Workflow Management 2022-02-04 14:18:52 UTC

SUSE-SU-2022:0333-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194576,1194581,1194588
CVE References: CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.3_06-150300.3.18.2
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.3_06-150300.3.18.2
SUSE Linux Enterprise Micro 5.1 (src):    xen-4.14.3_06-150300.3.18.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2022-02-04 14:25:25 UTC

openSUSE-SU-2022:0333-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194576,1194581,1194588
CVE References: CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xen-4.14.3_06-150300.3.18.2

Comment 18 Swamp Workflow Management 2022-02-04 14:32:14 UTC

SUSE-SU-2022:0332-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194581,1194588
CVE References: CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_32-3.71.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_32-3.71.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_32-3.71.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2022-02-04 14:32:52 UTC

SUSE-SU-2022:0331-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194581,1194588
CVE References: CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_26-2.68.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_26-2.68.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_26-2.68.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_26-2.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2022-02-07 17:18:42 UTC

SUSE-SU-2022:0342-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194581,1194588
CVE References: CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_20-43.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2022-02-09 20:20:25 UTC

SUSE-SU-2022:0359-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194581,1194588
CVE References: CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_26-3.100.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_26-3.100.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_26-3.100.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_26-3.100.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_26-3.100.1
HPE Helion Openstack 8 (src):    xen-4.9.4_26-3.100.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Swamp Workflow Management 2022-02-17 14:19:45 UTC

SUSE-SU-2022:0467-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194576,1194581,1194588
CVE References: CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    xen-4.13.4_04-3.43.2
SUSE Manager Retail Branch Server 4.1 (src):    xen-4.13.4_04-3.43.2
SUSE Manager Proxy 4.1 (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise Micro 5.0 (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xen-4.13.4_04-3.43.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xen-4.13.4_04-3.43.2
SUSE Enterprise Storage 7 (src):    xen-4.13.4_04-3.43.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2022-02-17 14:21:36 UTC

SUSE-SU-2022:14886-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194581,1194588
CVE References: CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_52-61.70.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_52-61.70.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Swamp Workflow Management 2022-02-17 14:23:19 UTC

SUSE-SU-2022:0469-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194576,1194581,1194588
CVE References: CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_18-3.58.2
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_18-3.58.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2022-02-17 14:26:30 UTC

SUSE-SU-2022:0468-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194576,1194581,1194588
CVE References: CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xen-4.12.4_18-3.60.2
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xen-4.12.4_18-3.60.2
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xen-4.12.4_18-3.60.2
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xen-4.12.4_18-3.60.2
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xen-4.12.4_18-3.60.2
SUSE Enterprise Storage 6 (src):    xen-4.12.4_18-3.60.2
SUSE CaaS Platform 4.0 (src):    xen-4.12.4_18-3.60.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.