Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-26932: 361 - Xen Security Advisories

An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c.

CVE
#vulnerability#linux#dos#redis#perl

Information

Advisory

XSA-361

Public release

2021-02-16 12:00

Updated

2021-02-16 12:35

Version

4

CVE(s)

CVE-2021-26932

Title

Linux: grant mapping error handling issues

Filesadvisory-361.txt (signed advisory file)
xsa361-linux-1.patch
xsa361-linux-2.patch
xsa361-linux-3.patch
xsa361-linux-4.patch
xsa361-linux-5.patchAdvisory

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

        Xen Security Advisory CVE-2021-26932 / XSA-361
                           version 4

            Linux: grant mapping error handling issues

UPDATES IN VERSION 4

Public release.

ISSUE DESCRIPTION

Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation.

Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery.

IMPACT

A malicious or buggy frontend driver may be able to crash the corresponding backend driver, causing a denial of service potentially affecting the entire domain running the backend driver.

A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding backend driver, leading to a denial of service.

VULNERABLE SYSTEMS

All Linux versions back to at least 3.2 are vulnerable, when running in PV mode on x86 or when running on Arm.

On x86, only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable.

MITIGATION

On x86, running the backends in HVM or PVH domains will avoid the vulnerability.

For protocols where other, e.g. non-kernel-based backends are available, reconfiguring guests to use alternative (e.g. qemu-based) backends may allow to avoid the vulnerability as long as these backends don’t rely on similar functionality provided by the xen-gntdev (/dev/gntdev) driver.

In all other cases there is no known mitigation.

CREDITS

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION

Applying the attached patches resolves this issue.

xsa361-linux-1.patch Linux 5.11-rc - 3.19 xsa361-linux-2.patch Linux 5.11-rc - 3.15 xsa361-linux-3.patch Linux 5.11-rc - 4.19 xsa361-linux-4.patch Linux 5.11-rc - 4.19 xsa361-linux-5.patch Linux 5.11-rc - 4.4

$ sha256sum xsa361* bb00ab6319b4fc536566af50c73e064f10f8b99eaa6b0f0b35a8d174c285a905 xsa361-linux-1.patch 73b6a54aa3773ce11f0de6b9aa1d80dd7f4c297dc71924b1a3886bc3b99ac859 xsa361-linux-2.patch 8e554cfab8cdb4fe1b74601a9432ea4c570f74a952ad757f9294ba1666cbeaea xsa361-linux-3.patch 8c290895d10fc148f99e2a6587811b3037f29c3a0201d69d448ff520cea6f96d xsa361-linux-4.patch 231ae3e1b9bec1b75dbbbee4b5acff620ef7ac2853332aa7b3c4957c6ca7f341 xsa361-linux-5.patch $

DEPLOYMENT DURING EMBARGO

Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.

Deployment of the mitigation to switch to HVM / PVH backend domains is also permitted during the embargo, even on public-facing systems with untrusted guest users and administrators.

HOWEVER, deployment of the non-kernel-based backends mitigation described above is NOT permitted during the embargo on public-facing systems with untrusted guest users and administrators. This is because such a configuration change may be recognizable by the affected guests.

AND: Distribution of updated software is prohibited (except to other members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team.

(Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.)

For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAru/QMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZmFkH/Ay1RoZbbcA4ywdhy9xdnpt0DHMFLjZSbE4sNTi+ J+m9rn69UTK01VDD0RUohTcmWO0nv8ZD+jKETsSq31GiYhVk7XnSmCJkzILGujr8 cf+7jUWWJPcqBmN7xcLBaor9lhpKfMpYlMLBG7twIRHfqOSw6Sm+iD4YC23nkGKF Cb8tpkYCpX3dPMMP74nX00Wta2rqd1BrpAGvAnt9hrHIBfTcpwWE8A4H1eFL/7Dv 5+pVvrSMkyzaR5kI/QBeriXsuOP509CiafUBpeXU85pGWpLgZAqD+puodEVQ2fpT /MqATdNRhgnCzqSqh/ElN/1ZdB7406DbdCnErJiyDdN/OCE= =DUXr -----END PGP SIGNATURE-----

Xenproject.org Security Team

Related news

CVE-2022-27937: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.

CVE-2022-26656: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.

CVE-2022-27928: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

CVE-2022-27931: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

CVE-2022-27935: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.

CVE-2022-27929: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.

CVE-2022-27933: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVE-2022-27932: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVE-2022-26655: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.

CVE-2022-27930: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907