Bug 1218851 (CVE-2023-46839) - VUL-0: CVE-2023-46839: xen: phantom functions assigned to incorrect contexts (XSA-449)
Summary: VUL-0: CVE-2023-46839: xen: phantom functions assigned to incorrect contexts ...
Status: NEW
Alias: CVE-2023-46839
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/391306/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46839:4.1:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-16 13:26 UTC by Gianluca Gabrielli
Modified: 2024-05-10 17:50 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 8 Gabriele Sonnu 2024-01-30 13:17:46 UTC
Public via https://xenbits.xen.org/xsa/advisory-449.html

            Xen Security Advisory CVE-2023-46839 / XSA-449
                               version 2

         pci: phantom functions assigned to incorrect contexts

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

PCI devices can make use of a functionality called phantom functions,
that when enabled allows the device to generate requests using the IDs
of functions that are otherwise unpopulated.  This allows a device to
extend the number of outstanding requests.

Such phantom functions need an IOMMU context setup, but failure to
setup the context is not fatal when the device is assigned.  Not
failing device assignment when such failure happens can lead to the
primary device being assigned to a guest, while some of the phantom
functions are assigned to a different domain.

IMPACT
======

Under certain circumstances a malicious guest assigned a PCI device
with phantom functions may be able to access memory from a previous
owner of the device.

VULNERABLE SYSTEMS
==================

Systems running all version of Xen are affected.

Only x86 systems are vulnerable.  Arm systems are not vulnerable.

Only systems using PCI passthrough of devices with phantom functions
are affected.

MITIGATION
==========

There is no mitigation (other than not passing through PCI devices
with phantom functions to guests).

CREDITS
=======

This issue was discovered by Roger Pau Monné of XenServer.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa449.patch           xen-unstable - Xen 4.17.x
xsa449-4.16.patch      Xen 4.16.x - Xen 4.15.x

$ sha256sum xsa449*
f77914aae8f917952f66d863d26314875ff96a0d8178f64c94b95825eabbc8a8  xsa449.patch
8f0302c24535ad4c7379469f33afcfdce08ba6db970e0ca1a1bfdd788af6fc6c  xsa449-4.16.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

HOWEVER, deployment of the mitigation is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because removing/replacing of pass-through devices or their
replacement by emulated devices is a guest visible configuration
change, which may lead to re-discovery of the issue.

Deployment of this mitigation is permitted only AFTER the embargo ends.

AND: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 9 Maintenance Automation 2024-01-30 16:36:10 UTC
SUSE-SU-2024:0270-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218851
CVE References: CVE-2023-46839
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_10-150200.3.86.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): xen-4.13.5_10-150200.3.86.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): xen-4.13.5_10-150200.3.86.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-01-30 16:36:13 UTC
SUSE-SU-2024:0269-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218851
CVE References: CVE-2023-46839
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_44-150100.3.101.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): xen-4.12.4_44-150100.3.101.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): xen-4.12.4_44-150100.3.101.1
SUSE CaaS Platform 4.0 (src): xen-4.12.4_44-150100.3.101.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-01-30 16:36:15 UTC
SUSE-SU-2024:0268-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218851
CVE References: CVE-2023-46839
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): xen-4.16.5_12-150400.4.46.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): xen-4.16.5_12-150400.4.46.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): xen-4.16.5_12-150400.4.46.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): xen-4.16.5_12-150400.4.46.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): xen-4.16.5_12-150400.4.46.1
SUSE Manager Proxy 4.3 (src): xen-4.16.5_12-150400.4.46.1
SUSE Manager Retail Branch Server 4.3 (src): xen-4.16.5_12-150400.4.46.1
SUSE Manager Server 4.3 (src): xen-4.16.5_12-150400.4.46.1
openSUSE Leap 15.4 (src): xen-4.16.5_12-150400.4.46.1
openSUSE Leap Micro 5.3 (src): xen-4.16.5_12-150400.4.46.1
openSUSE Leap Micro 5.4 (src): xen-4.16.5_12-150400.4.46.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): xen-4.16.5_12-150400.4.46.1
SUSE Linux Enterprise Micro 5.3 (src): xen-4.16.5_12-150400.4.46.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): xen-4.16.5_12-150400.4.46.1
SUSE Linux Enterprise Micro 5.4 (src): xen-4.16.5_12-150400.4.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-01-30 16:36:18 UTC
SUSE-SU-2024:0266-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1218851, 1219080
CVE References: CVE-2023-46839, CVE-2023-46840
Sources used:
openSUSE Leap 15.5 (src): xen-4.17.3_04-150500.3.21.1
SUSE Linux Enterprise Micro 5.5 (src): xen-4.17.3_04-150500.3.21.1
Basesystem Module 15-SP5 (src): xen-4.17.3_04-150500.3.21.1
Server Applications Module 15-SP5 (src): xen-4.17.3_04-150500.3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-01-31 08:30:11 UTC
SUSE-SU-2024:0265-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218851
CVE References: CVE-2023-46839
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): xen-4.12.4_44-3.103.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): xen-4.12.4_44-3.103.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): xen-4.12.4_44-3.103.1
SUSE Linux Enterprise Server 12 SP5 (src): xen-4.12.4_44-3.103.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-01-31 08:30:13 UTC
SUSE-SU-2024:0264-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1218851
CVE References: CVE-2023-46839
Sources used:
openSUSE Leap 15.3 (src): xen-4.14.6_10-150300.3.63.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): xen-4.14.6_10-150300.3.63.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): xen-4.14.6_10-150300.3.63.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): xen-4.14.6_10-150300.3.63.1
SUSE Enterprise Storage 7.1 (src): xen-4.14.6_10-150300.3.63.1
SUSE Linux Enterprise Micro 5.1 (src): xen-4.14.6_10-150300.3.63.1
SUSE Linux Enterprise Micro 5.2 (src): xen-4.14.6_10-150300.3.63.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): xen-4.14.6_10-150300.3.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Charles Arnold 2024-02-06 15:51:31 UTC
Patch submitted for relevant distros.
Comment 17 Maintenance Automation 2024-03-11 12:30:10 UTC
SUSE-SU-2024:0830-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1027519, 1218851, 1219080, 1219885
CVE References: CVE-2023-46839, CVE-2023-46840, CVE-2023-46841
Sources used:
openSUSE Leap 15.5 (src): xen-4.17.3_06-150500.3.24.1
SUSE Linux Enterprise Micro 5.5 (src): xen-4.17.3_06-150500.3.24.1
Basesystem Module 15-SP5 (src): xen-4.17.3_06-150500.3.24.1
Server Applications Module 15-SP5 (src): xen-4.17.3_06-150500.3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.