Bug 1221984 (CVE-2023-46842) - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may trigger Xen bug check (XSA-454)
Summary: VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may trigger Xen bug check (XSA...
Status: RESOLVED FIXED
Alias: CVE-2023-46842
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Charles Arnold
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/398864/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46842:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-26 12:17 UTC by Carlos López
Modified: 2024-07-30 16:30 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Attached patches (10.31 KB, application/zip)
2024-03-26 12:17 UTC, Carlos López
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2024-03-26 12:17:09 UTC
Created attachment 873816 [details]
Attached patches

Xen Security Advisory CVE-2023-46842 / XSA-454

             x86 HVM hypercalls may trigger Xen bug check

              *** EMBARGOED UNTIL 2024-04-09 12:00 UTC ***

ISSUE DESCRIPTION
=================

Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and
other modes.  This in particular means that they may set registers used
to pass 32-bit-mode hypercall arguments to values outside of the range
32-bit code would be able to set them to.

When processing of hypercalls takes a considerable amount of time,
the hypervisor may choose to invoke a hypercall continuation.  Doing so
involves putting (perhaps updated) hypercall arguments in respective
registers.  For guests not running in 64-bit mode this further involves
a certain amount of translation of the values.

Unfortunately internal sanity checking of these translated values
assumes high halves of registers to always be clear when invoking a
hypercall.  When this is found not to be the case, it triggers a
consistency check in the hypervisor and causes a crash.

IMPACT
======

A HVM or PVH guest can cause a hypervisor crash, causing a Denial of
Service (DoS) of the entire host.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been inspected.

Only x86 systems are vulnerable.  Arm systems are not vulnerable.

Only HVM or PVH guests can leverage the vulnerability.  PV guests cannot
leverage the vulnerability.

MITIGATION
==========

Not using HVM / PVH guests will avoid the vulnerability.

RESOLUTION
==========

Applying either of the attached patches from the appropriate set resolves
this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa454-?.patch           xen-unstable
xsa454-4.18-?.patch      Xen 4.18.x
xsa454-4.17-?.patch      Xen 4.17.x
xsa454-4.16-?.patch      Xen 4.16.x - Xen 4.15.x

$ sha256sum xsa454*
61f8a3a29fc684a5ec447e50a5cb47da3f383fea7c60ba64c1f302e3c659b661  xsa454-1.patch
90c081754e65f1b3714cf3434fa16606baa67851e0dcaea2b45c5950f78d1860  xsa454-2.patch
d0171c639fe36e0b859c84205b8f0bafac683f2186dc34c54cdb7041ebd52d52  xsa454-4.16-1.patch
638df849d986bc328d2a0db6c2854b036ce1143b397d70ca865f78d8917da369  xsa454-4.16-2.patch
23f4e44ca9108a89eb4813d11b46797ca56a5cf50d21d42a21fd9c8a02c0ebfd  xsa454-4.17-1.patch
77ada97caaf7e3c025fae7d34b377b8537725ba692ec54981590076a9dcf3ca9  xsa454-4.17-2.patch
76434bb9394be762fd9240b2a13d35e65bbca7ac9faf97b6101a62093700ae8b  xsa454-4.18-1.patch
90c081754e65f1b3714cf3434fa16606baa67851e0dcaea2b45c5950f78d1860  xsa454-4.18-2.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 4 OBSbugzilla Bot 2024-04-10 04:55:01 UTC
This is an autogenerated message for OBS integration:
This bug (1221984) was mentioned in
https://build.opensuse.org/request/show/1166538 Factory / xen
Comment 5 Johannes Segitz 2024-04-10 07:54:29 UTC
public
Comment 10 Maintenance Automation 2024-04-12 16:30:43 UTC
SUSE-SU-2024:1259-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1027519, 1221984, 1222302, 1222453
CVE References: CVE-2023-46842, CVE-2024-2201, CVE-2024-31142
Maintenance Incident: [SUSE:Maintenance:33341](https://smelt.suse.de/incident/33341/)
Sources used:
openSUSE Leap 15.4 (src):
 xen-4.16.6_02-150400.4.55.1
openSUSE Leap Micro 5.3 (src):
 xen-4.16.6_02-150400.4.55.1
openSUSE Leap Micro 5.4 (src):
 xen-4.16.6_02-150400.4.55.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 xen-4.16.6_02-150400.4.55.1
SUSE Linux Enterprise Micro 5.3 (src):
 xen-4.16.6_02-150400.4.55.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 xen-4.16.6_02-150400.4.55.1
SUSE Linux Enterprise Micro 5.4 (src):
 xen-4.16.6_02-150400.4.55.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-04-15 20:30:08 UTC
SUSE-SU-2024:1295-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1027519, 1221984, 1222302, 1222453
CVE References: CVE-2023-46842, CVE-2024-2201, CVE-2024-31142
Maintenance Incident: [SUSE:Maintenance:33340](https://smelt.suse.de/incident/33340/)
Sources used:
openSUSE Leap 15.5 (src):
 xen-4.17.4_02-150500.3.30.1
SUSE Linux Enterprise Micro 5.5 (src):
 xen-4.17.4_02-150500.3.30.1
Basesystem Module 15-SP5 (src):
 xen-4.17.4_02-150500.3.30.1
Server Applications Module 15-SP5 (src):
 xen-4.17.4_02-150500.3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2024-05-07 08:30:04 UTC
SUSE-SU-2024:1541-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (moderate)
Bug References: 1027519, 1221984, 1222302, 1222453
CVE References: CVE-2023-46842, CVE-2024-2201, CVE-2024-31142
Maintenance Incident: [SUSE:Maintenance:33626](https://smelt.suse.de/incident/33626/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 xen-4.12.4_48-3.109.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 xen-4.12.4_48-3.109.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 xen-4.12.4_48-3.109.1
SUSE Linux Enterprise Server 12 SP5 (src):
 xen-4.12.4_48-3.109.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2024-05-07 08:30:07 UTC
SUSE-SU-2024:1540-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1221984, 1222302, 1222453
CVE References: CVE-2023-46842, CVE-2024-2201, CVE-2024-31142
Maintenance Incident: [SUSE:Maintenance:33625](https://smelt.suse.de/incident/33625/)
Sources used:
openSUSE Leap 15.3 (src):
 xen-4.14.6_14-150300.3.72.1
SUSE Linux Enterprise Micro 5.1 (src):
 xen-4.14.6_14-150300.3.72.1
SUSE Linux Enterprise Micro 5.2 (src):
 xen-4.14.6_14-150300.3.72.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 xen-4.14.6_14-150300.3.72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2024-07-16 16:30:09 UTC
SUSE-SU-2024:2535-1: An update that solves six vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1214083, 1221332, 1221334, 1221984, 1222302, 1222453, 1227355
CVE References: CVE-2023-28746, CVE-2023-46842, CVE-2024-2193, CVE-2024-2201, CVE-2024-31142, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:33138](https://smelt.suse.de/incident/33138/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 xen-4.13.5_12-150200.3.93.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 xen-4.13.5_12-150200.3.93.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 xen-4.13.5_12-150200.3.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2024-07-16 16:30:18 UTC
SUSE-SU-2024:2531-1: An update that solves two vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1027519, 1214718, 1221984, 1225953, 1227355
CVE References: CVE-2023-46842, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:34723](https://smelt.suse.de/incident/34723/)
Sources used:
Server Applications Module 15-SP6 (src):
 xen-4.18.2_06-150600.3.3.1
openSUSE Leap 15.6 (src):
 xen-4.18.2_06-150600.3.3.1
Basesystem Module 15-SP6 (src):
 xen-4.18.2_06-150600.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2024-07-30 16:30:56 UTC
SUSE-SU-2024:2654-1: An update that solves two vulnerabilities and has two security fixes can now be installed.

URL: https://www.suse.com/support/update/announcement/2024/suse-su-20242654-1
Category: security (important)
Bug References: 1027519, 1214718, 1221984, 1227355
CVE References: CVE-2023-46842, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:34724](https://smelt.suse.de/incident/34724/)
Sources used:
Server Applications Module 15-SP5 (src):
 xen-4.17.4_04-150500.3.33.1
openSUSE Leap 15.5 (src):
 xen-4.17.4_04-150500.3.33.1
openSUSE Leap Micro 5.5 (src):
 xen-4.17.4_04-150500.3.33.1
SUSE Linux Enterprise Micro 5.5 (src):
 xen-4.17.4_04-150500.3.33.1
Basesystem Module 15-SP5 (src):
 xen-4.17.4_04-150500.3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.