Bug 1209017 (CVE-2022-42332) - VUL-0: CVE-2022-42332: xen: x86 shadow plus log-dirty mode use-after-free (XSA-427)
Summary: VUL-0: CVE-2022-42332: xen: x86 shadow plus log-dirty mode use-after-free (XS...
Status: RESOLVED FIXED
Alias: CVE-2022-42332
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/359378
Whiteboard: CVSSv3.1:SUSE:CVE-2022-42332:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-07 15:47 UTC by Carlos López
Modified: 2023-04-27 16:30 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Attached patches (7.34 KB, application/zip)
2023-03-07 15:47 UTC, Carlos López
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-03-07 15:47:53 UTC
Created attachment 865332 [details]
Attached patches

Xen Security Advisory CVE-2022-42332 / XSA-427

             x86 shadow plus log-dirty mode use-after-free

              *** EMBARGOED UNTIL 2023-03-21 12:00 UTC ***

ISSUE DESCRIPTION
=================

In environments where host assisted address translation is necessary
but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests
in so called shadow mode.  Shadow mode maintains a pool of memory used
for both shadow page tables as well as auxiliary data structures.  To
migrate or snapshot guests, Xen additionally runs them in so called
log-dirty mode.  The data structures needed by the log-dirty tracking
are part of aformentioned auxiliary data.

In order to keep error handling efforts within reasonable bounds, for
operations which may require memory allocations shadow mode logic
ensures up front that enough memory is available for the worst case
requirements.  Unfortunately, while page table memory is properly
accounted for on the code path requiring the potential establishing of
new shadows, demands by the log-dirty infrastructure were not taken into
consideration.  As a result, just established shadow page tables could
be freed again immediately, while other code is still accessing them on
the assumption that they would remain allocated.

IMPACT
======

Guests running in shadow mode and being subject to migration or
snapshotting may be able to cause Denial of Service and other problems,
including escalation of privilege.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been inspected.

Only x86 systems are vulnerable.  The vulnerability is limited to
migration and snapshotting of guests, and only to PV ones as well as
HVM or PVH ones run with shadow paging.

MITIGATION
==========

Not migrating or snapshotting guests will avoid the vulnerability.

Running only HVM or PVH guests and only in HAP (Hardware Assisted
Paging) mode will also avoid the vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa427.patch           xen-unstable - Xen 4.17.x
xsa427-4.16.patch      Xen 4.16.x
xsa427-4.15.patch      Xen 4.15.x
xsa427-4.14.patch      Xen 4.14.x

$ sha256sum xsa427*
5ebcdc495ba6f439e47be7e17dbb8fbdecf4de66d2fac560d460f6841bd3bef3  xsa427.meta
aa39316cbb81478c62b3d5c5aea7edfb6ade3bc5e6d0aa8c4677f9ea7bcc97a2  xsa427.patch
5ba679bc2170b0d9cd4c6ce139057e3287a6ee00434fa0e9a7a02441420030ff  xsa427-4.14.patch
410ee6be28412841ab5aba1131f7dd7b84b9983f6c93974605f196fd278562e1  xsa427-4.15.patch
76c1850eb9a274c1feb5a8645f61ecf394a0551278f4e40e123ec07ea307f101  xsa427-4.16.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 4 Carlos López 2023-03-21 12:13:25 UTC
Public:
https://www.openwall.com/lists/oss-security/2023/03/21/1
Comment 5 Maintenance Automation 2023-03-21 16:30:16 UTC
SUSE-SU-2023:0862-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.4_20-150200.3.71.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.4_20-150200.3.71.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.4_20-150200.3.71.1
SUSE Enterprise Storage 7 (src): xen-4.13.4_20-150200.3.71.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-03-21 16:30:24 UTC
SUSE-SU-2023:0859-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE OpenStack Cloud 9 (src): xen-4.11.4_38-2.89.1
SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_38-2.89.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): xen-4.11.4_38-2.89.1
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): xen-4.11.4_38-2.89.1
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): xen-4.11.4_38-2.89.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-03-21 16:30:28 UTC
SUSE-SU-2023:0858-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_34-150100.3.86.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_34-150100.3.86.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_34-150100.3.86.1
SUSE CaaS Platform 4.0 (src): xen-4.12.4_34-150100.3.86.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-03-21 16:30:38 UTC
SUSE-SU-2023:0848-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
openSUSE Leap Micro 5.3 (src): xen-4.16.3_06-150400.4.25.1
openSUSE Leap 15.4 (src): xen-4.16.3_06-150400.4.25.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.3_06-150400.4.25.1
SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.3_06-150400.4.25.1
Basesystem Module 15-SP4 (src): xen-4.16.3_06-150400.4.25.1
Server Applications Module 15-SP4 (src): xen-4.16.3_06-150400.4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-03-21 16:30:42 UTC
SUSE-SU-2023:0847-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Real Time 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Manager Proxy 4.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Manager Retail Branch Server 4.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Manager Server 4.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Enterprise Storage 7.1 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.5_12-150300.3.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-03-21 16:30:47 UTC
SUSE-SU-2023:0846-1: An update that solves two vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1209017, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332
Sources used:
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): xen-4.7.6_32-43.104.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-03-21 16:30:50 UTC
SUSE-SU-2023:0845-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_34-3.88.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_34-3.88.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_34-3.88.1
SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_34-3.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Carlos López 2023-04-13 15:07:31 UTC
Done, closing.
Comment 13 Maintenance Automation 2023-04-27 16:30:33 UTC
SUSE-SU-2023:0848-2: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.3_06-150400.4.25.1
SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.3_06-150400.4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.