Bug 1227355 (CVE-2024-31143) - VUL-0: CVE-2024-31143: xen: double unlock in x86 guest IRQ handling (XSA-458)
Summary: VUL-0: CVE-2024-31143: xen: double unlock in x86 guest IRQ handling (XSA-458)
Status: NEW
Alias: CVE-2024-31143
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/412806/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-31143:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-03 17:29 UTC by Carlos López
Modified: 2024-07-30 16:30 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
carnold: needinfo? (brahmajit.das)


Attachments
Attached patch (1.28 KB, patch)
2024-07-03 17:30 UTC, Carlos López
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2024-07-03 17:29:32 UTC
Xen Security Advisory CVE-2024-31143 / XSA-458

                double unlock in x86 guest IRQ handling

              *** EMBARGOED UNTIL 2024-07-16 12:00 UTC ***

ISSUE DESCRIPTION
=================

An optional feature of PCI MSI called "Multiple Message" allows a
device to use multiple consecutive interrupt vectors.  Unlike for MSI-X,
the setting up of these consecutive vectors needs to happen all in one
go.  In this handling an error path could be taken in different
situations, with or without a particular lock held.  This error path
wrongly releases the lock even when it is not currently held.

IMPACT
======

Denial of Service (DoS) affecting the entire host, crashes, information
leaks, or elevation of privilege all cannot be ruled out.

VULNERABLE SYSTEMS
==================

Xen versions 4.4 and newer are vulnerable.  Xen versions 4.3 and older
are not vulnerable.

Only x86 guest which have a multi-vector MSI capable device passed
through to them can leverage the vulnerability.

MITIGATION
==========

Not passing through multi-vector MSI capable devices to x86 guests will
avoid the vulnerability.

RESOLUTION
==========

Applying the attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa458.patch           xen-unstable - Xen 4.16.x

$ sha256sum xsa458*
22dd1071755b1fd6b4ea3ce18a200f626ee796e77b7e7d93a3a5b33d2a896706  xsa458.patch
$
Comment 1 Carlos López 2024-07-03 17:30:36 UTC
Created attachment 875856 [details]
Attached patch
Comment 6 Carlos López 2024-07-16 12:09:57 UTC
Public:
https://xenbits.xen.org/xsa/advisory-458.html
Comment 7 OBSbugzilla Bot 2024-07-16 16:05:05 UTC
This is an autogenerated message for OBS integration:
This bug (1227355) was mentioned in
https://build.opensuse.org/request/show/1187952 Factory / xen
Comment 8 Charles Arnold 2024-07-16 16:25:43 UTC
Fix is now submitted to all distros.
Comment 9 Maintenance Automation 2024-07-16 16:30:09 UTC
SUSE-SU-2024:2535-1: An update that solves six vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1214083, 1221332, 1221334, 1221984, 1222302, 1222453, 1227355
CVE References: CVE-2023-28746, CVE-2023-46842, CVE-2024-2193, CVE-2024-2201, CVE-2024-31142, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:33138](https://smelt.suse.de/incident/33138/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 xen-4.13.5_12-150200.3.93.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 xen-4.13.5_12-150200.3.93.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 xen-4.13.5_12-150200.3.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-07-16 16:30:12 UTC
SUSE-SU-2024:2534-1: An update that solves two vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1027519, 1222453, 1227355
CVE References: CVE-2024-2201, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:34727](https://smelt.suse.de/incident/34727/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 xen-4.12.4_50-3.112.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 xen-4.12.4_50-3.112.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 xen-4.12.4_50-3.112.1
SUSE Linux Enterprise Server 12 SP5 (src):
 xen-4.12.4_50-3.112.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-07-16 16:30:15 UTC
SUSE-SU-2024:2533-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222453, 1227355
CVE References: CVE-2024-2201, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:34726](https://smelt.suse.de/incident/34726/)
Sources used:
openSUSE Leap 15.3 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Enterprise Storage 7.1 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise Micro 5.1 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise Micro 5.2 (src):
 xen-4.14.6_16-150300.3.75.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 xen-4.14.6_16-150300.3.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-07-16 16:30:18 UTC
SUSE-SU-2024:2531-1: An update that solves two vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1027519, 1214718, 1221984, 1225953, 1227355
CVE References: CVE-2023-46842, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:34723](https://smelt.suse.de/incident/34723/)
Sources used:
Server Applications Module 15-SP6 (src):
 xen-4.18.2_06-150600.3.3.1
openSUSE Leap 15.6 (src):
 xen-4.18.2_06-150600.3.3.1
Basesystem Module 15-SP6 (src):
 xen-4.18.2_06-150600.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Brahmajit Das 2024-07-28 07:47:29 UTC
Hi is xen package from SLES12 SP2 affected? There is an open L3 ticket asking for PTF with the fix.
Comment 14 Jan Beulich 2024-07-29 07:35:39 UTC
(In reply to Brahmajit Das from comment #13)
> Hi is xen package from SLES12 SP2 affected? There is an open L3 ticket
> asking for PTF with the fix.

As per the advisory clearly saying "4.4 and newer" it would be affected. Yet then I'm unaware of us still doing anything for the 12sp2 code stream. Please clarify.
Comment 15 Charles Arnold 2024-07-29 14:24:07 UTC
(In reply to Jan Beulich from comment #14)
> (In reply to Brahmajit Das from comment #13)
> > Hi is xen package from SLES12 SP2 affected? There is an open L3 ticket
> > asking for PTF with the fix.
> 
> As per the advisory clearly saying "4.4 and newer" it would be affected. Yet
> then I'm unaware of us still doing anything for the 12sp2 code stream.
> Please clarify.

Right. We no longer submit security fixes for SP2.
LTSS support ended for SP2 on 31 Mar 2021. I'm not aware of any "core" support
for SP2 that extended that date.

As Jan said, please clarify if this is a valid L3 support request.
Comment 16 Maintenance Automation 2024-07-30 16:30:57 UTC
SUSE-SU-2024:2654-1: An update that solves two vulnerabilities and has two security fixes can now be installed.

URL: https://www.suse.com/support/update/announcement/2024/suse-su-20242654-1
Category: security (important)
Bug References: 1027519, 1214718, 1221984, 1227355
CVE References: CVE-2023-46842, CVE-2024-31143
Maintenance Incident: [SUSE:Maintenance:34724](https://smelt.suse.de/incident/34724/)
Sources used:
Server Applications Module 15-SP5 (src):
 xen-4.17.4_04-150500.3.33.1
openSUSE Leap 15.5 (src):
 xen-4.17.4_04-150500.3.33.1
openSUSE Leap Micro 5.5 (src):
 xen-4.17.4_04-150500.3.33.1
SUSE Linux Enterprise Micro 5.5 (src):
 xen-4.17.4_04-150500.3.33.1
Basesystem Module 15-SP5 (src):
 xen-4.17.4_04-150500.3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.