Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-26361

IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, “RMRR”) for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption.

CVE
#vulnerability#dos#redis#intel#amd

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 / XSA-400 version 2 IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, “RMRR”) for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. IMPACT ====== The precise impact is system specific, but would likely be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. VULNERABLE SYSTEMS ================== All Xen versions supporting PCI passthrough are affected. Only x86 systems with IOMMU hardware are vulnerable. Arm systems as well as x86 systems without IOMMU hardware or without any IOMMUs in use are not vulnerable. Only x86 guests which have physical devices passed through to them, and only when any such device has an associated RMRR or unity map, can leverage the vulnerability. (Whether a device is associated with an RMRR or unity map is not easy to discern.) MITIGATION ========== Not passing through physical devices to untrusted guests when the devices have assoicated RMRRs / unity maps will avoid the vulnerability. CREDITS ======= Aspects of this issue were discovered by Jan Beulich of SUSE and Roger Pau Monné of Citrix. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa400/xsa400-??.patch xen-unstable xsa400/xsa400-4.16-*.patch Xen 4.16.x xsa400/xsa400-4.15-*.patch Xen 4.15.x xsa400/xsa400-4.14-*.patch Xen 4.14.x xsa400/xsa400-4.13-*.patch Xen 4.13.x xsa400/xsa400-4.12-*.patch Xen 4.12.x $ sha256sum xsa400*/* 108544235a011e96e8717e9e744190fd8128e99cca8141f682667bd7b8533f45 xsa400/xsa400-01.patch 1648ef0213dd6beeaa782a18926416a00aa51ad89136aa1565debd5312bf58aa xsa400/xsa400-02.patch 39e02738ce3d3a65c02355dd45cb844ecca8be9715b7887dedcdaada02c4bda1 xsa400/xsa400-03.patch 2d5e7f4090418d817df002b7cd7a9a40246ff9900faf53fc2b2f685ac77b2a0e xsa400/xsa400-4.12-00.patch a4291033d1960f8095a11e765072f60cf9e5be07d4cd0cbfed1896f9c66a4576 xsa400/xsa400-4.12-01.patch 2f5b2ce22ae6cba8a5380ccf63ae2dcf6e7ce8f29a33c87c0630abc6c1d24793 xsa400/xsa400-4.12-02.patch 86ee30d46957f63e4516ea47f14470579d0906fd536b39e31645e2cd471c1b49 xsa400/xsa400-4.12-03.patch 546430f61df3eb92a55e32047cce8557d85a8e860f67d558c35fea44e7c56b18 xsa400/xsa400-4.12-04.patch 178463bf81b138668c2f036b11a0b9406a6f5bb98c0643741787ccdf276495d9 xsa400/xsa400-4.12-05.patch b19c599eb5eb17f8e0e17879174a4235fdc3f2172bc77bffdee60074ef2d7c90 xsa400/xsa400-4.12-06.patch 02eae481f2b06763dd913b46a65837791147b7916bbd0ed50e5d972784b310aa xsa400/xsa400-4.12-07.patch 298339cc343d9803158abd0c36030f36e7dc8360ccfed320f34ff01813c47434 xsa400/xsa400-4.12-08.patch 9253d7120db39a1e3c14fc6b8735577f3d215837996eed057511146c0ba199d6 xsa400/xsa400-4.12-09.patch 762bbe418c028449812b4441c4e369230477eeea4d863c05a2efd9c7e5e19bc3 xsa400/xsa400-4.12-10.patch 7172957a27cdf02327c28b5cfedf35b12e76cb17237cbb9c318442961f503fe6 xsa400/xsa400-4.12-11.patch c685d9ee2453728f509a78506930f756118ff443fbe6d5307873e90455b5e131 xsa400/xsa400-4.13-00.patch 0b0a80a249c9c58726f913df24163976cfaadabc685d3d274dd7b972fe4cbffc xsa400/xsa400-4.13-01.patch eabee7d9cabe00748e78fda0363818ca6085ac395804658a11f94394236d2734 xsa400/xsa400-4.13-02.patch 66cd2a0ee8a002668e04e2bb7192ac2f774012434765988bdea0a7e79621f58c xsa400/xsa400-4.13-03.patch 4457c142c1fdc67e0dc77a57bc57159ee63dc1946e432ae1225937c7ed3a3e82 xsa400/xsa400-4.13-04.patch 2feabcbcf160d8c1130b2c86efd98dd9fee0332489520f3a10aa8bb37d6a5a20 xsa400/xsa400-4.13-05.patch 903099123d37806b7fe684d75ab0fb6a28b4609d7370cce65a9ba5ab4db43ddd xsa400/xsa400-4.13-06.patch e8a39d36f629b7f79634d09d22ace97f1c23ee10ee9fef6afd68ec2204c55d81 xsa400/xsa400-4.13-07.patch d85c63917542d2d2b47dd6322b4c32364719be4707acf616290aacd536c57805 xsa400/xsa400-4.13-08.patch 5496ca04a2789603069ca8e8d3bf6d301c19c799ccff813bf17865b46f687757 xsa400/xsa400-4.13-09.patch 8b343f3616c0283caac334b4f0cc42b1523f2dc9de3463f2edadbf1a11c17a22 xsa400/xsa400-4.13-10.patch 577d20d2ed5da8a89f32eae717a140f9ec3900e31fc9e10ee23e37ae5dc19d4a xsa400/xsa400-4.13-11.patch bfa82c6beae9ec8ab88e042296442eed3ca162b42124c982785c7c0d95440480 xsa400/xsa400-4.14-01.patch f8f7da8d0cc3d149874956e9aefe666a2e33275dba66ed0d55f0b559d078f01f xsa400/xsa400-4.14-02.patch 49acd3d795aa091f8fa1c72b5064b5a71966e77c9785f5d0f8226d99daba3ead xsa400/xsa400-4.14-03.patch 0ce4435a8c7fd6f4186ea31d29932094b1a902d9d0c5dafa3fcb1c15c5eca88c xsa400/xsa400-4.14-04.patch aeae4cef4bf31ecd854ad820239fe793f36ed81c0ad28ce3935ab3f83c3ee58c xsa400/xsa400-4.14-05.patch f8d93e2ab3f891f70abd17ddba9aae8237605f1f680754ff9df646e5ddb9d419 xsa400/xsa400-4.14-06.patch afb9f731ba7a53930626e322ebb39db19f817b5c60710fc934c395fcdea4c7f4 xsa400/xsa400-4.14-07.patch c236bb7b5c692cf30e7b84e6668f87b248bcf80c6df1dd74c655b91b955eb271 xsa400/xsa400-4.14-08.patch 6c4d44983eae92212be6bda7663198260bdeb0506c5b622c38ddbcedf9360d69 xsa400/xsa400-4.14-09.patch 5393c6681c675c666396f6725c2ac2e48293465e97bc228dcfc410ee84d8ba7c xsa400/xsa400-4.14-10.patch 8d1dcdeb4d9420840a6753bb56f35bf199af63a6c477f2352e47222df5337c1a xsa400/xsa400-4.14-11.patch f52a70fd92c4819658630c9d478ae03a9801352b024240059877d0ee2002e31e xsa400/xsa400-4.15-01.patch 243a0b20b20c78b41f833004c82ce26b1249285671f150bdfe4a2314860df316 xsa400/xsa400-4.15-02.patch 175f2472f80dacffcee578543f4fc4521f5533de46199ce86b072bfd0ede9ae3 xsa400/xsa400-4.15-03.patch dee6fbe9e3c03d695bae1f81cebca80ca54ecf02a51db64ae5f3d313837eed8c xsa400/xsa400-4.15-04.patch 55a35033b8ba45b1c9c556e0c2866733e518137299f2f3f4d41046766898aeb5 xsa400/xsa400-4.15-05.patch 94ec5289a3a632fed8d220478847ef3b780d7db345f30ee9d6b186905de61048 xsa400/xsa400-4.15-06.patch 50cbb08b931cd1cc8ec3e2aa17b537db80dcd03a6de0994331fc3818f53cbfe4 xsa400/xsa400-4.15-07.patch e4c77fac42b8b0b50cdc9de30f406176c44de75d647e36b4bbd6360dd70c8aa6 xsa400/xsa400-4.15-08.patch 652cd8700b830b3520db325cfd90eab6c08bd423debb21c05caa7edfef9ee671 xsa400/xsa400-4.15-09.patch 50e58d663690475ce35a0a65eda88a2c2da319ddc02eb15b5a7d568a8f0a0366 xsa400/xsa400-4.15-10.patch 37a18da6ad1f529bfdc4156225f18c17c10a45302b7d6045ee38c934656589da xsa400/xsa400-4.15-11.patch ff069d123df2aba7a4f3185f21f7ca36b34fc026dcdd279224c86698f84c0975 xsa400/xsa400-4.15-12.patch 76497919563cdf2804f5071325c032acd04cf8df75c0dcb4b207a93b9ae80927 xsa400/xsa400-4.16-01.patch 150f2a7621ec17d6369a6ebbc2c08c502f3524acb89855a86a25d7b4fa3e3270 xsa400/xsa400-4.16-02.patch cd59bca0fcab4bda1d0ea839501543a59b53aef61e96a0d949675bc5550a6fcb xsa400/xsa400-4.16-03.patch 098edab3ed8915a3598badaa1d452f7c8ab2d8e72879dd9bf941b2093e6df9d1 xsa400/xsa400-4.16-04.patch a85640291e1bc1cdb757172eb6d2036834ad2eb7b84252cc64d29db3feeff331 xsa400/xsa400-4.16-05.patch 99d43caf1ce60f421d940c2774e2a59d65d1f0dcccd941f13066117a19222b22 xsa400/xsa400-4.16-06.patch fbe5ec58da594dffd3e63c18406280f27d976609350d7c7083acbf2f2e6538cd xsa400/xsa400-4.16-07.patch e6b0d400beda8ff0e9bdbfd033bc23935069b41dbd5dddf863dbd70de44d908f xsa400/xsa400-4.16-08.patch 965f96bdb33a872942de42597c7cc32012020f37b25a84015ecc55387d6b07dd xsa400/xsa400-4.16-09.patch 7996b1462374168ddc9cbc01c990d5cb40140d7a100096f284f6b74fb4ad7ec4 xsa400/xsa400-4.16-10.patch 23e325be799b299e9621e76eeff646b81518a4124474fb766d3bf6f0cc925083 xsa400/xsa400-4.16-11.patch 6fa43e1a8f53184724cd4a7b5c13f0fd699c998af968bafaefda570432b5a7d8 xsa400/xsa400-4.16-12.patch 82306d680ef445bee04969028184f65b5e106c89c308fbb876b858f77fea9506 xsa400/xsa400-04.patch ccf3ff62b427d3d2ea46d4da96beeef2cb64674bc0d247352233c4b84a21f205 xsa400/xsa400-05.patch 8b3f767ca659e8bbf4983927999bdb92d9fa42e3a88973e22facda0e23f29a84 xsa400/xsa400-06.patch bb570b89a2d4b535831d9211bf08cc0c62c060dc7808911afd8186082b884cf8 xsa400/xsa400-07.patch 8382fd5336b5b4b3388dee099da00b1e728dea77d96825c6088991d7e50f333b xsa400/xsa400-08.patch 6909363863932ca77c9b7384516965bc1697fab9b4814294a1675fb6ce8e166e xsa400/xsa400-09.patch c37fee4dd9ab2bf64ebb8b9c553f793bfcef9a7cf1972b0000fe6ce28b9e8e60 xsa400/xsa400-10.patch 70f11f64457c9703f09c3121d08d5ff4676af20bd42eb1262c433a5e0f79ea41 xsa400/xsa400-11.patch 724e34d262939162ecab713c070cc07b8f7baeca50ee8b62bb59460ec4f7fbdb xsa400/xsa400-12.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. HOWEVER, deployment of the mitigation is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because removal of pass-through devices or their replacement by emulated devices is a guest visible configuration change, which may lead to re-discovery of the issue. Deployment of this mitigation is permitted only AFTER the embargo ends. AND: Distribution of updated software is prohibited (except to other members of the predisclosure list). (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmJML+0MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZQl8IALuh2RTTSiQBYeybKZPr3QEOfy+L3VFzNbRZeGBc jpN12lXjzkFvVuTXDu6Cgw1g6yhRrcRnhGWhx3T8RpGeYhHq1GeKSw7+c4NTsiDL 21P9F3mEban6tOUa82V2PTkYfAMMpbn5apOcsMvdlPoEgXdgLPh5HoVIvXQQO6Ni 3MkCN7foV3M07jAiB4ehqrsPLhzGSCCRJfiD9PA1/RnnzCBrspyyWepF7mwzh2cx 1kENmG8mSwA3Eg0fNUMDBi6W+drNmIx4gooYo3LBnCyMgzUrv7+bzkvjpcU8+dAq H5i2Morbx4j0F/TcQ8+23KjzNvJHbiqKVrIFCoa1z54dGC8= =tz+l -----END PGP SIGNATURE-----

Related news

Gentoo Linux Security Advisory 202402-07

Gentoo Linux Security Advisory 202402-7 - Multiple vulnerabilities have been found in Xen, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 4.16.6_pre1 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907