Bug 1203807 – VUL-0: CVE-2022-33748: xen: lock order inversion in transitive grant copy handling (XSA-411)

Bug 1203807 - (CVE-2022-33748) VUL-0: CVE-2022-33748: xen: lock order inversion in transitive grant copy handling (XSA-411)

(CVE-2022-33748)
Summary:	VUL-0: CVE-2022-33748: xen: lock order inversion in transitive grant copy han...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/343671/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-33748:5.3:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-09-27 15:53 UTC by Carlos López
Modified:	2022-11-30 08:23 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Patches (1.95 KB, application/zip) 2022-09-27 15:53 UTC, Carlos López	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-09-27 15:53:05 UTC

Created attachment 861781 [details]
Patches

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-33748 / XSA-411

        lock order inversion in transitive grant copy handling

              *** EMBARGOED UNTIL 2022-10-11 12:00 UTC ***

ISSUE DESCRIPTION
=================

As part of XSA-226 a missing cleanup call was inserted on an error
handling path.  While doing so, locking requirements were not paid
attention to.  As a result two cooperating guests granting each
other transitive grants can cause locks to be acquired nested within
one another, but in respectively opposite order.  With suitable
timing between the involved grant copy operations this may result in
the locking up of a CPU.

IMPACT
======

Malicious or buggy guest kernels may be able to mount a Denial of
Service (DoS) attack affecting the entire system.

VULNERABLE SYSTEMS
==================

Xen versions 4.0 and newer are vulnerable.  Xen versions 3.4 and older
are not vulnerable.

Only guests with access to transitive grants can exploit the
vulnerability.  In particular, this means that:

 * ARM systems which have taken the XSA-268 fix are not vulnerable, as
   Grant Table v2 was disabled for other security reasons.

 * All systems with the XSA-226 fixes, and booted with
   `gnttab=max-ver:1` or `gnttab=no-transitive` are not vulnerable.

Only multiple cooperating guests can exploit the vulnerability.

MITIGATION
==========

Disallowing the use of transitive grants either via the
`gnttab=no-transitive` Xen command line option, or by disabling grant
interface version 2 altogether via the `gnttab=max-ver:1` Xen command
line option will avoid the vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa411.patch           xen-unstable - Xen 4.15.x
xsa411-4.14.patch      Xen 4.14.x - 4.13.x

$ sha256sum xsa411*
0802e2e4e9d03c82429a710bbb783cee2fded52d29b1d969b97c680d30c3ac57  xsa411.patch
8473f2ee34562298c5174f0a5b3c64c561a945333aab675845093ad23250d1cf  xsa411-4.14.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

HOWEVER, deployment of the mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because it is a guest visible change which will draw attention
to the issue.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmMy8fgMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZF+YIAJY2BORTn4ZuHOUaiSA0YhWQ135LPMH4BXM7z9BF
oxHG+VG/TMrPBzOWXk05HGinE7bMENSQkxhwcnFmGftFvpVK8dpj07YtPOC8OQQ2
LXtt+b0BBoWhKOr6xDkqXkDXV5DHhU6WWSYzbKGXH59Zf1KOWhGnu2g9xh16yC8b
9v+KljpOf5JyoS+ZdVy/S9I830M/aebPdG4/CAbe1Ol7EkHVH5Q1LWN59XDzflch
SCYcTlAmwixM8s2s8XHzrl/3QbrsxUZnrZ78bNJsO6vEbhXsgxH4kJVXQCk8S57P
9hHPDg3ebUX5bgw/+GEJQAHybiJY2YJ6T8jB29v0RzWWqIs=
=VxDl
-----END PGP SIGNATURE-----

Comment 4 Carlos López 2022-09-30 07:13:39 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-33748 / XSA-411
                               version 2

        lock order inversion in transitive grant copy handling

              *** EMBARGOED UNTIL 2022-10-11 12:00 UTC ***

UPDATES IN VERSION 2
====================

Mention xl controls affecting vulnerability and usable as mitigation.

ISSUE DESCRIPTION
=================

As part of XSA-226 a missing cleanup call was inserted on an error
handling path.  While doing so, locking requirements were not paid
attention to.  As a result two cooperating guests granting each
other transitive grants can cause locks to be acquired nested within
one another, but in respectively opposite order.  With suitable
timing between the involved grant copy operations this may result in
the locking up of a CPU.

IMPACT
======

Malicious or buggy guest kernels may be able to mount a Denial of
Service (DoS) attack affecting the entire system.

VULNERABLE SYSTEMS
==================

Xen versions 4.0 and newer are vulnerable.  Xen versions 3.4 and older
are not vulnerable.

Only guests with access to transitive grants can exploit the
vulnerability.  In particular, this means that:

 * ARM systems which have taken the XSA-268 fix are not vulnerable, as
   Grant Table v2 was disabled for other security reasons.

 * All systems with the XSA-226 fixes, and booted with
   `gnttab=max-ver:1` or `gnttab=no-transitive` are not vulnerable.

 * From Xen 4.16, the maximum grant table version can be controlled on a
   per-domain basis.  For the xl toolstack, the vulnerability does not
   manifest if either:

   1) Every guest has `max_grant_version=1` in their configuration file,
      or

   2) The global xl.conf has `max_grant_version=1`, and no guests have
      the default overridden by selecting `max_grant_version=2`.

Only multiple cooperating guests can exploit the vulnerability.

MITIGATION
==========

Disallowing the use of transitive grants either via the
`gnttab=no-transitive` Xen command line option, or by disabling grant
interface version 2 altogether via the `gnttab=max-ver:1` Xen command
line option or the xl controls as mentioned above will avoid the
vulnerability.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa411.patch           xen-unstable - Xen 4.15.x
xsa411-4.14.patch      Xen 4.14.x - 4.13.x

$ sha256sum xsa411*
0802e2e4e9d03c82429a710bbb783cee2fded52d29b1d969b97c680d30c3ac57  xsa411.patch
8473f2ee34562298c5174f0a5b3c64c561a945333aab675845093ad23250d1cf  xsa411-4.14.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

HOWEVER, deployment of the mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because it is a guest visible change which will draw attention
to the issue.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmM1r3gMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZF98IAJb0ZKjlik+ApVkxLDZwby8driGwlxRwPppaVABr
G9wYOfIPorna7iPPWvJknBbEQkhJ6xkBqpoMQinkIEmRZCJeb4NhTmfmVz/pa2dt
/Lfp9DHeoGzrfxKe/sq6nwJ7ZvKDUuFC5MqdzFeaEKixpKpAfD0l7tvRz3uLQsEq
5cxze3UcAOmbotIyV0PQ91SWzw5XN40p/zCg3OLM5VmrIpyWZniM3n6ph7D3D9U8
Mp6FKihuZhbeYWYGgCLvoUpBeV1+qsRSziFnhV7fEd0sJS5k3ysPHM8nIEIPIkWV
W78HOAzFdNC049y1ZpRb57k2deK+TpHNKm4ZIrHZpQlby98=
=I5X5
-----END PGP SIGNATURE-----

Comment 6 Carlos López 2022-10-11 12:09:27 UTC

Public:
https://xenbits.xen.org/xsa/advisory-411.html

Comment 7 Charles Arnold 2022-10-13 21:15:58 UTC

11-SP3-Teradata Submission: SR#282307

Comment 9 Swamp Workflow Management 2022-10-19 22:22:39 UTC

SUSE-SU-2022:3665-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027519,1167608,1185104,1197081,1200762,1201394,1201631,1203806,1203807
CVE References: CVE-2021-28689,CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33745,CVE-2022-33746,CVE-2022-33748
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    xen-4.14.5_06-150300.3.35.1
openSUSE Leap 15.3 (src):    xen-4.14.5_06-150300.3.35.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.5_06-150300.3.35.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.5_06-150300.3.35.1
SUSE Linux Enterprise Micro 5.2 (src):    xen-4.14.5_06-150300.3.35.1
SUSE Linux Enterprise Micro 5.1 (src):    xen-4.14.5_06-150300.3.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2022-10-25 19:20:26 UTC

SUSE-SU-2022:3727-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1027519,1167608,1201631,1201994,1203806,1203807
CVE References: CVE-2022-33746,CVE-2022-33748
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    xen-4.16.2_06-150400.4.11.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    xen-4.16.2_06-150400.4.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    xen-4.16.2_06-150400.4.11.1
SUSE Linux Enterprise Micro 5.3 (src):    xen-4.16.2_06-150400.4.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2022-10-25 19:25:19 UTC

SUSE-SU-2022:3728-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1185104,1200762,1203806,1203807
CVE References: CVE-2021-28689,CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33746,CVE-2022-33748
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_28-3.77.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_28-3.77.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2022-11-09 17:28:18 UTC

SUSE-SU-2022:3925-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1185104,1193923,1203806,1203807,1204482,1204485,1204487,1204488,1204489,1204490,1204494,1204496
CVE References: CVE-2021-28689,CVE-2022-33746,CVE-2022-33748,CVE-2022-42309,CVE-2022-42310,CVE-2022-42311,CVE-2022-42312,CVE-2022-42313,CVE-2022-42314,CVE-2022-42315,CVE-2022-42316,CVE-2022-42317,CVE-2022-42318,CVE-2022-42319,CVE-2022-42320,CVE-2022-42321,CVE-2022-42322,CVE-2022-42323,CVE-2022-42325,CVE-2022-42326
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_40-150000.3.84.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_40-150000.3.84.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_40-150000.3.84.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2022-11-10 14:23:33 UTC

SUSE-SU-2022:3928-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 1185104,1193923,1199966,1200762,1203806,1203807,1204482,1204485,1204487,1204488,1204489,1204490,1204494,1204496
CVE References: CVE-2021-28689,CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33746,CVE-2022-33748,CVE-2022-42309,CVE-2022-42310,CVE-2022-42311,CVE-2022-42312,CVE-2022-42313,CVE-2022-42314,CVE-2022-42315,CVE-2022-42316,CVE-2022-42317,CVE-2022-42318,CVE-2022-42319,CVE-2022-42320,CVE-2022-42321,CVE-2022-42322,CVE-2022-42323,CVE-2022-42325,CVE-2022-42326
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xen-4.12.4_30-150100.3.80.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xen-4.12.4_30-150100.3.80.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xen-4.12.4_30-150100.3.80.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xen-4.12.4_30-150100.3.80.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xen-4.12.4_30-150100.3.80.1
SUSE Enterprise Storage 6 (src):    xen-4.12.4_30-150100.3.80.1
SUSE CaaS Platform 4.0 (src):    xen-4.12.4_30-150100.3.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2022-11-11 21:00:37 UTC

SUSE-SU-2022:3947-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1193923,1203806,1203807,1204482,1204485,1204487,1204488,1204489,1204490,1204494,1204496
CVE References: CVE-2022-33746,CVE-2022-33747,CVE-2022-33748,CVE-2022-42309,CVE-2022-42310,CVE-2022-42311,CVE-2022-42312,CVE-2022-42313,CVE-2022-42314,CVE-2022-42315,CVE-2022-42316,CVE-2022-42317,CVE-2022-42318,CVE-2022-42319,CVE-2022-42320,CVE-2022-42321,CVE-2022-42322,CVE-2022-42323,CVE-2022-42325,CVE-2022-42326
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    xen-4.14.5_08-150300.3.40.1
openSUSE Leap 15.3 (src):    xen-4.14.5_08-150300.3.40.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.5_08-150300.3.40.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.5_08-150300.3.40.1
SUSE Linux Enterprise Micro 5.2 (src):    xen-4.14.5_08-150300.3.40.1
SUSE Linux Enterprise Micro 5.1 (src):    xen-4.14.5_08-150300.3.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2022-11-14 17:21:52 UTC

SUSE-SU-2022:3971-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1167608,1185104,1193923,1199966,1203806,1203807,1204482,1204485,1204487,1204488,1204489,1204490,1204494,1204496
CVE References: CVE-2021-28689,CVE-2022-33746,CVE-2022-33748,CVE-2022-42309,CVE-2022-42310,CVE-2022-42311,CVE-2022-42312,CVE-2022-42313,CVE-2022-42314,CVE-2022-42315,CVE-2022-42316,CVE-2022-42317,CVE-2022-42318,CVE-2022-42319,CVE-2022-42320,CVE-2022-42321,CVE-2022-42322,CVE-2022-42323,CVE-2022-42325,CVE-2022-42326
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    xen-4.13.4_16-150200.3.65.1
SUSE Manager Retail Branch Server 4.1 (src):    xen-4.13.4_16-150200.3.65.1
SUSE Manager Proxy 4.1 (src):    xen-4.13.4_16-150200.3.65.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xen-4.13.4_16-150200.3.65.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xen-4.13.4_16-150200.3.65.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xen-4.13.4_16-150200.3.65.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xen-4.13.4_16-150200.3.65.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xen-4.13.4_16-150200.3.65.1
SUSE Enterprise Storage 7 (src):    xen-4.13.4_16-150200.3.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2022-11-16 11:22:42 UTC

SUSE-SU-2022:4007-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1027519,1193923,1203806,1203807,1204482,1204483,1204485,1204487,1204488,1204489,1204490,1204494,1204496
CVE References: CVE-2022-33746,CVE-2022-33747,CVE-2022-33748,CVE-2022-42309,CVE-2022-42310,CVE-2022-42311,CVE-2022-42312,CVE-2022-42313,CVE-2022-42314,CVE-2022-42315,CVE-2022-42316,CVE-2022-42317,CVE-2022-42318,CVE-2022-42319,CVE-2022-42320,CVE-2022-42321,CVE-2022-42322,CVE-2022-42323,CVE-2022-42325,CVE-2022-42326,CVE-2022-42327
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    xen-4.16.2_08-150400.4.16.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    xen-4.16.2_08-150400.4.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    xen-4.16.2_08-150400.4.16.1
SUSE Linux Enterprise Micro 5.3 (src):    xen-4.16.2_08-150400.4.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2022-11-17 17:25:34 UTC

SUSE-SU-2022:4051-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 1185104,1203806,1203807,1204482,1204485,1204487,1204489,1204490,1204494
CVE References: CVE-2021-28689,CVE-2022-33746,CVE-2022-33748,CVE-2022-42309,CVE-2022-42310,CVE-2022-42311,CVE-2022-42312,CVE-2022-42313,CVE-2022-42314,CVE-2022-42315,CVE-2022-42316,CVE-2022-42317,CVE-2022-42318,CVE-2022-42320,CVE-2022-42321,CVE-2022-42322,CVE-2022-42323
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_28-43.98.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2022-11-28 14:25:03 UTC

SUSE-SU-2022:4241-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1185104,1193923,1203806,1203807,1204482,1204485,1204487,1204488,1204489,1204490,1204494,1204496
CVE References: CVE-2021-28689,CVE-2022-33746,CVE-2022-33748,CVE-2022-42309,CVE-2022-42310,CVE-2022-42311,CVE-2022-42312,CVE-2022-42313,CVE-2022-42314,CVE-2022-42315,CVE-2022-42316,CVE-2022-42317,CVE-2022-42318,CVE-2022-42319,CVE-2022-42320,CVE-2022-42321,CVE-2022-42322,CVE-2022-42323,CVE-2022-42325,CVE-2022-42326
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_34-2.83.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_34-2.83.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_34-2.83.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_34-2.83.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.