Bug 1209018 (CVE-2022-42333) - VUL-0: CVE-2022-42333,CVE-2022-42334: xen: x86/HVM pinned cache attributes mis-handling (XSA-428)
Summary: VUL-0: CVE-2022-42333,CVE-2022-42334: xen: x86/HVM pinned cache attributes mi...
Status: RESOLVED FIXED
Alias: CVE-2022-42333
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/359381/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-42333:6.7:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-03-07 15:51 UTC by Carlos López
Modified: 2023-04-27 16:30 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Attached patches (6.54 KB, application/zip)
2023-03-07 15:51 UTC, Carlos López
Details
Attached patches v2 (6.79 KB, application/zip)
2023-03-14 14:22 UTC, Carlos López
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-03-07 15:51:25 UTC
Created attachment 865333 [details]
Attached patches

Xen Security Advisory CVE-2022-42333,CVE-2022-42334 / XSA-428

             x86/HVM pinned cache attributes mis-handling

              *** EMBARGOED UNTIL 2023-03-21 12:00 UTC ***

ISSUE DESCRIPTION
=================

To allow cachability control for HVM guests with passed through devices,
an interface exists to explicitly override defaults which would
otherwise be put in place.  While not exposed to the affected guests
themselves, the interface specifically exists for domains controlling
such guests.  This interface may therefore be used by not fully
privileged entities, e.g. qemu running deprivileged in Dom0 or qemu
running in a so called stub-domain.  With this exposure it is an issue
that
 - the number of the such controlled regions was unbounded
   (CVE-2022-42333),
 - installation and removal of such regions was not properly serialized
   (CVE-2022-42334).

IMPACT
======

Entities controlling HVM guests can run the host out of resources or
stall execution of a physical CPU for effectively unbounded periods of
time, resulting in a Denial of Servis (DoS) affecting the entire host.
Crashes, information leaks, or elevation of privilege cannot be ruled
out.

VULNERABLE SYSTEMS
==================

Xen versions from at least 3.2 onwards are vulnerable.  Older versions
have not been inspected.

Only x86 systems are potentially vulnerable.  Arm systems are not
vulnerable.

Only entities controlling HVM guests can leverage the vulnerability.
These are device models running in either a stub domain or de-privileged
in Dom0.

MITIGATION
==========

Running only PV or PVH guests will avoid the vulnerability.

(Switching from a device model stub domain or a de-privileged device
model to a fully privileged Dom0 device model does NOT mitigate this
vulnerability.  Rather, it simply recategorises the vulnerability to
hostile management code, regarding it "as designed"; thus it merely
reclassifies these issues as "not a bug".  The security of a Xen system
using stub domains is still better than with a qemu-dm running as a Dom0
process.  Users and vendors of stub qemu dm systems should not change
their configuration to use a Dom0 qemu process.)

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa428-?.patch           xen-unstable
xsa428-4.17-?.patch      Xen 4.17.x
xsa428-4.16-?.patch      Xen 4.16.x - 4.14.x

$ sha256sum xsa428*
a7bd8d4c1e8579aeda47564efdc960cac92472387ba57d7f7a6d5d79470ebd6f  xsa428.meta
a2a0b962649e57e7ce5b4240f5c67f1afdfedc73af9af95f3aeba94a1a1563f6  xsa428-1.patch
1046788fa22d966bbca5d9e84d782e1fd04f3acb18f9d5656f2b442626a0782f  xsa428-2.patch
da8df4287ef9fd5e2b33915d5f93276a53b0e456e0963fecb9041ec734162181  xsa428-4.16-1.patch
62a3c56753949d971093d5d11946796f4c416c4ec16cd7b78881ac4fd4a0666e  xsa428-4.16-2.patch
da8df4287ef9fd5e2b33915d5f93276a53b0e456e0963fecb9041ec734162181  xsa428-4.17-1.patch
c3996f1c66d7c19998178c725f19cc4e845a4e9d9a90c9b827d11ddefdb17d74  xsa428-4.17-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 3 Jan Beulich 2023-03-09 08:56:53 UTC
(In reply to Carlos López from comment #0)
> VULNERABLE SYSTEMS
> ==================
> 
> Xen versions from at least 3.2 onwards are vulnerable.  Older versions
> have not been inspected.

This isn't correct - in 4.10 and older the functionality is exposed via domctl and hence subject to XSA-77.
Comment 5 Carlos López 2023-03-14 14:22:59 UTC
Created attachment 865513 [details]
Attached patches v2

     Xen Security Advisory CVE-2022-42333,CVE-2022-42334 / XSA-428
                               version 2

             x86/HVM pinned cache attributes mis-handling

              *** EMBARGOED UNTIL 2023-03-21 12:00 UTC ***

UPDATES IN VERSION 2
====================

Update affected versions. Add Fixes: tag to patches.

ISSUE DESCRIPTION
=================

To allow cachability control for HVM guests with passed through devices,
an interface exists to explicitly override defaults which would
otherwise be put in place.  While not exposed to the affected guests
themselves, the interface specifically exists for domains controlling
such guests.  This interface may therefore be used by not fully
privileged entities, e.g. qemu running deprivileged in Dom0 or qemu
running in a so called stub-domain.  With this exposure it is an issue
that
 - the number of the such controlled regions was unbounded
   (CVE-2022-42333),
 - installation and removal of such regions was not properly serialized
   (CVE-2022-42334).

IMPACT
======

Entities controlling HVM guests can run the host out of resources or
stall execution of a physical CPU for effectively unbounded periods of
time, resulting in a Denial of Servis (DoS) affecting the entire host.
Crashes, information leaks, or elevation of privilege cannot be ruled
out.

VULNERABLE SYSTEMS
==================

Xen versions 4.11 through 4.17 are vulnerable.  Older versions contain
the same functionality, but it is exposed there only via an interface
which is subject to XSA-77's constraints.

Only x86 systems are potentially vulnerable.  Arm systems are not
vulnerable.

Only entities controlling HVM guests can leverage the vulnerability.
These are device models running in either a stub domain or de-privileged
in Dom0.

MITIGATION
==========

Running only PV or PVH guests will avoid the vulnerability.

(Switching from a device model stub domain or a de-privileged device
model to a fully privileged Dom0 device model does NOT mitigate this
vulnerability.  Rather, it simply recategorises the vulnerability to
hostile management code, regarding it "as designed"; thus it merely
reclassifies these issues as "not a bug".  The security of a Xen system
using stub domains is still better than with a qemu-dm running as a Dom0
process.  Users and vendors of stub qemu dm systems should not change
their configuration to use a Dom0 qemu process.)

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa428-?.patch           xen-unstable
xsa428-4.17-?.patch      Xen 4.17.x
xsa428-4.16-?.patch      Xen 4.16.x - 4.14.x

$ sha256sum xsa428*
a7bd8d4c1e8579aeda47564efdc960cac92472387ba57d7f7a6d5d79470ebd6f  xsa428.meta
2282c5fe73189ff53ea9d9946c9304a184b04795a420661ff88634f79da4ab91  xsa428-1.patch
3b691ca228592539a751ce5af69f31e09d9c477218d53af0602ac5f39f1e74d7  xsa428-2.patch
b397c43a2082ad11b3973d6b92bbc0880fbb38a99dbcee6556ad2a2a2a771949  xsa428-4.16-1.patch
27718a7a86fd57624cd8500df83eb42ff3499670bc807c6555686c25e7f7b01a  xsa428-4.16-2.patch
b397c43a2082ad11b3973d6b92bbc0880fbb38a99dbcee6556ad2a2a2a771949  xsa428-4.17-1.patch
20d3b66da8fe06d7e92992218e519f4f9746791d4ba5610d84a335f38a824fcb  xsa428-4.17-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 6 Carlos López 2023-03-21 12:15:05 UTC
Public:
https://www.openwall.com/lists/oss-security/2023/03/21/2
Comment 7 Maintenance Automation 2023-03-21 16:30:16 UTC
SUSE-SU-2023:0862-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.4_20-150200.3.71.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.4_20-150200.3.71.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.4_20-150200.3.71.1
SUSE Enterprise Storage 7 (src): xen-4.13.4_20-150200.3.71.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-03-21 16:30:24 UTC
SUSE-SU-2023:0859-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE OpenStack Cloud 9 (src): xen-4.11.4_38-2.89.1
SUSE OpenStack Cloud Crowbar 9 (src): xen-4.11.4_38-2.89.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): xen-4.11.4_38-2.89.1
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): xen-4.11.4_38-2.89.1
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): xen-4.11.4_38-2.89.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-03-21 16:30:28 UTC
SUSE-SU-2023:0858-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_34-150100.3.86.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_34-150100.3.86.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_34-150100.3.86.1
SUSE CaaS Platform 4.0 (src): xen-4.12.4_34-150100.3.86.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-03-21 16:30:39 UTC
SUSE-SU-2023:0848-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
openSUSE Leap Micro 5.3 (src): xen-4.16.3_06-150400.4.25.1
openSUSE Leap 15.4 (src): xen-4.16.3_06-150400.4.25.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.3_06-150400.4.25.1
SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.3_06-150400.4.25.1
Basesystem Module 15-SP4 (src): xen-4.16.3_06-150400.4.25.1
Server Applications Module 15-SP4 (src): xen-4.16.3_06-150400.4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-03-21 16:30:43 UTC
SUSE-SU-2023:0847-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Real Time 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xen-4.14.5_12-150300.3.48.1
SUSE Manager Proxy 4.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Manager Retail Branch Server 4.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Manager Server 4.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Enterprise Storage 7.1 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.5_12-150300.3.48.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.5_12-150300.3.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-03-21 16:30:50 UTC
SUSE-SU-2023:0845-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_34-3.88.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_34-3.88.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_34-3.88.1
SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_34-3.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Carlos López 2023-04-13 15:08:14 UTC
Done, closing.
Comment 14 Maintenance Automation 2023-04-27 16:30:33 UTC
SUSE-SU-2023:0848-2: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1209017, 1209018, 1209019, 1209188
CVE References: CVE-2022-42331, CVE-2022-42332, CVE-2022-42333, CVE-2022-42334
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.3_06-150400.4.25.1
SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.3_06-150400.4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.