Bug 1203804 – VUL-0: CVE-2022-33747: xen: unbounded memory consumption for 2nd-level page tables on ARM systems (XSA-409)

Bug 1203804 - (CVE-2022-33747) VUL-0: CVE-2022-33747: xen: unbounded memory consumption for 2nd-level page tables on ARM systems (XSA-409)

(CVE-2022-33747)
Summary:	VUL-0: CVE-2022-33747: xen: unbounded memory consumption for 2nd-level page t...

Status:	RESOLVED WONTFIX

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assigned To:	Xen Virtualization
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/343667/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-09-27 15:37 UTC by Carlos López
Modified:	2022-10-11 12:08 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Attached patches (48.79 KB, application/zip) 2022-09-27 15:37 UTC, Carlos López	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-09-27 15:37:00 UTC

Created attachment 861779 [details]
Attached patches

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-33747 / XSA-409

      Arm: unbounded memory consumption for 2nd-level page tables

              *** EMBARGOED UNTIL 2022-10-11 12:00 UTC ***

ISSUE DESCRIPTION
=================

Certain actions require e.g. removing pages from a guest's P2M
(Physical-to-Machine) mapping.  When large pages are in use to map guest
pages in the 2nd-stage page tables, such a removal operation may incur a
memory allocation (to replace a large mapping with individual smaller
ones).

These memory allocations are taken from the global memory pool. A
malicious guest might be able to cause the global memory pool to be
exhausted by manipulating its own P2M mappings.

IMPACT
======

A malicious guest could cause a Denial of Service, preventing any system
operation requiring further allocation of Xen memory, including creating
new guests.  NB however that memory exhaustion by itself shouldn’t cause
either Xen or properly-written guests to crash.

VULNERABLE SYSTEMS
==================

All versions of Xen are affected.

Only Arm systems are vulnerable.  x86 systems are not vulnerable.

MITIGATION
==========

There is no known mitigation.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

Note further that the patches for this XSA depend on the patches for
XSA-410.

xsa409/*.patch           xen-unstable
xsa409-4.16/*.patch      Xen 4.16.x
xsa409-4.15/*.patch      Xen 4.15.x
xsa409-4.14/*.patch      Xen 4.14.x
xsa409-4.13/*.patch      Xen 4.13.x

$ sha256sum xsa409* xsa409*/*
a211afb31199a8edf189928f5285b6a58ce35aac991ae3f708b07274ad5f1082  xsa409.meta
fa3fa8ad2114f4f3b6e670eadee0a3c39e1fe6196ed07a6ad0e1de27329185e3  xsa409-4.13/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
f94376d12757312175e19b6c51c56bcb3e21055f729440eb9112bee9fc44cd65  xsa409-4.13/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
b52ca6538a0525dc1638391ee032a7aedced31cc3bcdc8efea02d975813fa251  xsa409-4.13/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
5a59740c398804950ce99102ae2741d5d539313e4a24d0727926d2b4965f148e  xsa409-4.13/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
b09bfb55f7d49de3aa30361d0aa423cd53a4588f26843bd6fb44bc1335105616  xsa409-4.14/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
5a01d80c7157feeeb3374c221d306bd98a134a99597ebfdeee5d62df47e60f27  xsa409-4.14/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
d9b4385c1d55f9c758a108368ef5fbfc86ab2ff532314f88245cc1fce4f95ea2  xsa409-4.14/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
96456aea63d6471888b5364330e69c15ffd2ed055200cd286fb59cab379c3905  xsa409-4.14/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
b47778799df1585dcc093d6066955b9e6688b7777c6d81c995061454a1f1a7ff  xsa409-4.15/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
4b9b1ba9c5c7a644268500906b628664ea0630777653f86e62faf85d9e004b8c  xsa409-4.15/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
04a097e055e7faf9163e1e7105bfb3a78782fa6e9c3025597725a198d85d9887  xsa409-4.15/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
9b59622a9c00d75fe3f57b20d286e91df3589855d55e0bad83c64145002c3bc7  xsa409-4.15/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
fce716e9cbba98bb43cfa8e02ba3886cd9e2451c83a2b21332c345e752d62d2a  xsa409-4.16/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
18ad838d9c4a6da8890d5d6b3165000e21d8db022bc743989dfda6cc43a7686c  xsa409-4.16/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
201bf6c15d0380f4588a12f33bff90f05fe3c8da75dcb0801063216bedcc00c7  xsa409-4.16/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
f8cea9b75636e73ffffb88b18d80f60ab9ca47856232f1cff787d5d0a1742106  xsa409-4.16/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
62be1c9896e1a0563abbe515bd50e117147a274b3bae0ce062d1e86cdd535b61  xsa409/0001-libxl-docs-Add-per-arch-extra-default-paging-memory.patch
6bcd3cdd9eb998f5714b1c44d3cf1aaa3b1f3615ef8ccb530cf804638b18c9e3  xsa409/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
b4740035de11fc0b4b7bcb281b288b1972ef3b97649ff3e61072384aeddf864b  xsa409/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
ac7af4fea2fa84384fd65308ee8cb50470515a96d2160e467867c8bb766b580a  xsa409/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmMy8fAMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZNfAH/3hkf3LUutOZDdjLbANizdvX25ygOiyU8iEz5Cvx
GdsnzyCG+yNiKbZAGay78WG8w+5mIO/rOolh6qiwfXYSWktN3zEnqX/J48w9ereg
CDSqfaExQdEcDfQSq38GmWHuoAingCBXqXTgAd002g1FsXesNVH3TVBBu1ns46uw
Zw7CMce9U7C3YdZMLerVE+jgrkJayPG/HTfGMF/R93L/AbYlp4CqP9XKMbzqpgMR
yfNLaRnY3HuLQoT9ciQcMaCjQ9UIc/YIMhG4fQB+G3AR7oi7o70nan/GK8FrMzjg
QKx1/dP9KgmlbCmJwDGwjXRSvDxbrTVzazqtocLTofCmabs=
=M69B
-----END PGP SIGNATURE-----

Comment 3 Carlos López 2022-09-27 15:41:44 UTC

(In reply to Carlos López from comment #0) 
> Only Arm systems are vulnerable.  x86 systems are not vulnerable.

We do not support Xen on ARM, so tracking as Won't Fix.

Comment 4 Carlos López 2022-10-11 12:08:17 UTC

Public:
https://xenbits.xen.org/xsa/advisory-409.html