Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 11 Oct 2022 12:05:11 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 410 v3 (CVE-2022-33746) - P2M pool freeing
 may take excessively long

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-33746 / XSA-410
                               version 3

              P2M pool freeing may take excessively long

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The P2M pool backing second level address translation for guests may be
of significant size.  Therefore its freeing may take more time than is
reasonable without intermediate preemption checks.  Such checking for
the need to preempt was so far missing.

IMPACT
======

A group of collaborating guests can cause the temporary locking up of a
CPU, potentially leading to a Denial of Service (DoS) affecting the
entire host.

VULNERABLE SYSTEMS
==================

All Xen versions are vulnerable.

x86 HVM and PVH guests as well as Arm guests can trigger the
vulnerability.  x86 PV guests cannot trigger the vulnerability.

MITIGATION
==========

Running only PV guests will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Julien Grall of Amazon.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa410/xsa410-??.patch           xen-unstable
xsa410/xsa410-4.16-??.patch      Xen 4.16.x - 4.15.x
xsa410/xsa410-4.14-??.patch      Xen 4.14.x
xsa410/xsa410-4.13-??.patch      Xen 4.13.x

$ sha256sum xsa410* xsa410*/*
70b2f2c880b30094c9bdbd3ae4b20b32acfc8daf94d5add5884998ff20ffc0e7  xsa410.meta
632f4d71bc9dfc5ddcf649b1e484a918b4cb3d270dedad3b904bf4552318ae0d  xsa410/xsa410-01.patch
a2c1e6871a76b9d0c7f54b5557c6d0e1a02423bca5b27354aa7e872b0016047e  xsa410/xsa410-02.patch
61b8c71ad199dfa9762e739a592aa0a7f3b79d42e88d80a9589a993c768352be  xsa410/xsa410-03.patch
fb11b3d730bb665add2447b8f2258755604ce51e0ccc0731cddd938a538b051f  xsa410/xsa410-4.13-01.patch
ce5e780fdd162a1961fb0d51ccd7db8c3b2cedcee444ee3a58569bd8bbcfd6e8  xsa410/xsa410-4.13-02.patch
33514a6bf40d6c73fa7ca064b3e0401048f87eecbd007601bca6943b58f5c4b5  xsa410/xsa410-4.13-03.patch
af7d5eeda27e789c91e39b58110b25b668ecc241ed87bf4d75d9ff2bf647c660  xsa410/xsa410-4.13-04.patch
972e95787d635056bb0476bff990af0957d9669b4b4948975a74ed085b9fdc38  xsa410/xsa410-4.13-05.patch
4587ff1246f1ea59053e76cdded0e42aba8e747123c8b37b7fe4e03f39d3a447  xsa410/xsa410-4.13-06.patch
99a2a83ea89aa0a79c3cd938917d6b7de1e7e52ec744fb2e0ed1ed2a577cb203  xsa410/xsa410-4.13-07.patch
b36cc0d96111dbf65b7fefbce5fe9c5fe737dca24453f10f76253ce5bdcbb37d  xsa410/xsa410-4.13-08.patch
b548a1ba8082e5dbb35943bbacc5391766343c373c6edd2eb96d430cacdac00b  xsa410/xsa410-4.13-09.patch
9fae7cf66cb298737ad5f021c349291ec84f8de83d02a9b814967fb97b85ad1f  xsa410/xsa410-4.13-10.patch
0b91fcfc0a29428cfc06f4f1ddb01f5d1e7f144eae05635f2e9ef46dd7b33f0a  xsa410/xsa410-4.14-01.patch
a7a7e7e9529e91454035ad468c46faae34638be1f5f0694e1fe352c6c1acff06  xsa410/xsa410-4.14-02.patch
75bb2296a9f8adeb0ae3fc330f158614aab94a9263aba99730fe31d71be93d62  xsa410/xsa410-4.14-03.patch
8ad3dc1957fdb440e0bbd3b8e17286361ddfa6bb748ba6d48cc85ca8e88862ba  xsa410/xsa410-4.14-04.patch
5aba547158d8f182eb8a148a03c3c69741d264b568a80b349c34b99e36e75647  xsa410/xsa410-4.14-05.patch
5b343f47ce34c53a0cf300a05ccd6898f695e62ced4b0f14d64c9947c8c17250  xsa410/xsa410-4.14-06.patch
d34f3107061f13fdd1338d78544584d3509f8f7dabde78027f308c934cfeeb10  xsa410/xsa410-4.14-07.patch
8ccce0e109f6e0957643a04c822b7637b2cc7094ab73c4b19898657c05282f76  xsa410/xsa410-4.14-08.patch
ca3116eb10b4ea29a4e5ce97a40d0f504418a8cd890fa49fb4ddf6c3acba9a9b  xsa410/xsa410-4.14-09.patch
ec1ad7529e6406f7fff9ebe35caf64419e360feadc9fae4ea679bff88238eefa  xsa410/xsa410-4.14-10.patch
27857174e10917e02c6b9c6b8c29d5510c308035462a9a18bcdfebcef8c1e7af  xsa410/xsa410-4.16-01.patch
7fc330e398e99023f9875004409ae4cb3943b15338662c242887f593d909e271  xsa410/xsa410-4.16-02.patch
9a72aaef6a65ec984022590c5e1bb39527873df4607604746d0a0b91636271d8  xsa410/xsa410-4.16-03.patch
4dffbb2e5933c18426e6ce0cbba94c42637f59b8cec03aad2bfc54d81c49d3e3  xsa410/xsa410-4.16-04.patch
2e5d91e3e5e0e7a294caada1399e017487063642bbb42bddfa5169db6faab37e  xsa410/xsa410-4.16-05.patch
8174d9ed5f633f5a043084bf0cfb08211173f1afbfc5240c306bffa69c883595  xsa410/xsa410-4.16-06.patch
b78792bd0d51a8e18d570d225df556f2099272cab00f1cb95bbbb4c08d299ce1  xsa410/xsa410-4.16-07.patch
1f3f14bf3091e685cf6ac530baf7bd060586cf3db330ba1218d1048eb672d6eb  xsa410/xsa410-4.16-08.patch
63af35d559156436276967c94b3402982914b0fdd77187ff5b0bbf3dda356589  xsa410/xsa410-4.16-09.patch
85e8da807225df97583f5331491f29ecea059ce770c59a1a898a4b19b838f0c1  xsa410/xsa410-4.16-10.patch
6cf86d574ff45719659ed23af352fdc64d6563434057b733ac46ec6d5c758a3f  xsa410/xsa410-04.patch
296d38e69eebab2985cdab70419ca5fd73380d94b35c96fa7f6820fead59bf95  xsa410/xsa410-05.patch
e590762c70faad493b4e95c9f747ad9c3b313233f1b0aba3e81df5f40565cc51  xsa410/xsa410-06.patch
28164010d988fb590c7b22ef7f3571142660ec975ee8709f28fe310f220f7b08  xsa410/xsa410-07.patch
0ad43b452e5aef2657f311b6fa2fbc1eb07702d08c78878b1e614c573606feeb  xsa410/xsa410-08.patch
04f02d9b06f74a8921557196b39c2cf3dd8fd7bf0c1f350d0c55d8d49187e9a7  xsa410/xsa410-09.patch
a67ae39583867ed5d3900c4b45e2e32e9ac4ec58298c6508cedb273e9b7caf4b  xsa410/xsa410-10.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNFS/4MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZFn8H/AlU50r9Lk0QaxVbvuKVir3rVgP+QURgVeHMTcuj
UbNpjasPjQMbT9vzTPtIN+b59J0FwhWWZRIcZhYX6sPC/L9eAomUiFnVOe9Jmyec
cv0gpn/fWum850A9/cZ+F3wNNmgbHcm+uLvCWM11vO79kUMzKmCeDGguU5cgbmBo
hiNNL/mUEnu5QQn+jXolFCCA+CzlSJLg+tJwZn0il6dIf7z9d2yAxJRMUHF8s/c3
d23+6kTxLkfdnkGuwxkEVcSCaBN6YCGPaUy4AaQYzqPun/hcqGCsXCgK7X+iJIxq
36LWZLuqwAL80CQzEnMkgBNpqyQiudEwbZnBSMt0nzctg1g=
=EdsG
-----END PGP SIGNATURE-----

Download attachment "xsa410.meta" of type "application/octet-stream" (1367 bytes)

Download attachment "xsa410/xsa410-01.patch" of type "application/octet-stream" (2113 bytes)

Download attachment "xsa410/xsa410-02.patch" of type "application/octet-stream" (5281 bytes)

Download attachment "xsa410/xsa410-03.patch" of type "application/octet-stream" (3755 bytes)

Download attachment "xsa410/xsa410-4.13-01.patch" of type "application/octet-stream" (2113 bytes)

Download attachment "xsa410/xsa410-4.13-02.patch" of type "application/octet-stream" (5625 bytes)

Download attachment "xsa410/xsa410-4.13-03.patch" of type "application/octet-stream" (3821 bytes)

Download attachment "xsa410/xsa410-4.13-04.patch" of type "application/octet-stream" (2018 bytes)

Download attachment "xsa410/xsa410-4.13-05.patch" of type "application/octet-stream" (2434 bytes)

Download attachment "xsa410/xsa410-4.13-06.patch" of type "application/octet-stream" (9444 bytes)

Download attachment "xsa410/xsa410-4.13-07.patch" of type "application/octet-stream" (3007 bytes)

Download attachment "xsa410/xsa410-4.13-08.patch" of type "application/octet-stream" (3371 bytes)

Download attachment "xsa410/xsa410-4.13-09.patch" of type "application/octet-stream" (4899 bytes)

Download attachment "xsa410/xsa410-4.13-10.patch" of type "application/octet-stream" (6100 bytes)

Download attachment "xsa410/xsa410-4.14-01.patch" of type "application/octet-stream" (1808 bytes)

Download attachment "xsa410/xsa410-4.14-02.patch" of type "application/octet-stream" (4593 bytes)

Download attachment "xsa410/xsa410-4.14-03.patch" of type "application/octet-stream" (3821 bytes)

Download attachment "xsa410/xsa410-4.14-04.patch" of type "application/octet-stream" (2026 bytes)

Download attachment "xsa410/xsa410-4.14-05.patch" of type "application/octet-stream" (2452 bytes)

Download attachment "xsa410/xsa410-4.14-06.patch" of type "application/octet-stream" (9487 bytes)

Download attachment "xsa410/xsa410-4.14-07.patch" of type "application/octet-stream" (3018 bytes)

Download attachment "xsa410/xsa410-4.14-08.patch" of type "application/octet-stream" (3371 bytes)

Download attachment "xsa410/xsa410-4.14-09.patch" of type "application/octet-stream" (5134 bytes)

Download attachment "xsa410/xsa410-4.14-10.patch" of type "application/octet-stream" (6108 bytes)

Download attachment "xsa410/xsa410-4.16-01.patch" of type "application/octet-stream" (2113 bytes)

Download attachment "xsa410/xsa410-4.16-02.patch" of type "application/octet-stream" (5251 bytes)

Download attachment "xsa410/xsa410-4.16-03.patch" of type "application/octet-stream" (3821 bytes)

Download attachment "xsa410/xsa410-4.16-04.patch" of type "application/octet-stream" (2026 bytes)

Download attachment "xsa410/xsa410-4.16-05.patch" of type "application/octet-stream" (2503 bytes)

Download attachment "xsa410/xsa410-4.16-06.patch" of type "application/octet-stream" (9640 bytes)

Download attachment "xsa410/xsa410-4.16-07.patch" of type "application/octet-stream" (3018 bytes)

Download attachment "xsa410/xsa410-4.16-08.patch" of type "application/octet-stream" (3371 bytes)

Download attachment "xsa410/xsa410-4.16-09.patch" of type "application/octet-stream" (5185 bytes)

Download attachment "xsa410/xsa410-4.16-10.patch" of type "application/octet-stream" (6178 bytes)

Download attachment "xsa410/xsa410-04.patch" of type "application/octet-stream" (2108 bytes)

Download attachment "xsa410/xsa410-05.patch" of type "application/octet-stream" (2684 bytes)

Download attachment "xsa410/xsa410-06.patch" of type "application/octet-stream" (10831 bytes)

Download attachment "xsa410/xsa410-07.patch" of type "application/octet-stream" (3071 bytes)

Download attachment "xsa410/xsa410-08.patch" of type "application/octet-stream" (3438 bytes)

Download attachment "xsa410/xsa410-09.patch" of type "application/octet-stream" (6584 bytes)

Download attachment "xsa410/xsa410-10.patch" of type "application/octet-stream" (6994 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.