Headline
CVE-2022-42311
Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-42311,CVE-2022-42312,CVE-2022-42313,CVE-2022-42314,CVE-2022-42315,CVE-2022-42316,CVE-2022-42317,CVE-2022-42318 / XSA-326 version 4 Xenstore: guests can let run xenstored out of memory UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction IMPACT ====== Unprivileged guests can cause a DoS of xenstored, resulting in the inability to create new guests or modify the configuration of running guests. VULNERABLE SYSTEMS ================== All Xen versions are vulnerable. Both Xenstore implementations (C and Ocaml) are vulnerable. MITIGATION ========== There is no mitigation available. CREDITS ======= This issue was discovered by Julien Grall of Amazon. RESOLUTION ========== Applying the appropriate attached patches resolve this issue. Note that the final oxenstored patch (7 or 8, as applicable) is limiting the security support for oxenstored to trusted driver domains only. C xenstored Patches 15 and 16 are not part of the XSA, but are useful for administrators to change current xenstored quota settings and to audit per-guest resource usage in xenstored. Note that the patches are based on top of the patches for XSA-414 and XSA-415. There is a subtle dependency on XSA-419, which can’t be resolved easily, so the patches of XSA-326 should always be applied together with those of XSA-419. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa326/xsa326-xenstored-??.patch xen-unstable xsa326/xsa326-oxenstored-??.patch xen-unstable xsa326/xsa326-4.16-xenstored-??.patch Xen 4.16.x xsa326/xsa326-4.16-oxenstored-??.patch Xen 4.16.x xsa326/xsa326-4.15-xenstored-??.patch Xen 4.15.x xsa326/xsa326-4.15-oxenstored-??.patch Xen 4.15.x xsa326/xsa326-4.14-xenstored-??.patch Xen 4.14.x xsa326/xsa326-4.14-oxenstored-??.patch Xen 4.14.x xsa326/xsa326-4.13-xenstored-??.patch Xen 4.13.x xsa326/xsa326-4.13-oxenstored-??.patch Xen 4.13.x $ sha256sum xsa326* xsa326*/* fbeb48f2137ead7e933d487b95d819b4adec29e33141655dfb40e66861f8d005 xsa326.meta 5da5e9d053a51faba9a553970d53736b333ce713793ed3cf3fefc19943a3ba3d xsa326/xsa326-4.13-oxenstored-01.patch 6c65b043f5a9a8963c74b22df2187be7936c1228b1dee7b3cd32ea2f207520d0 xsa326/xsa326-4.13-oxenstored-02.patch f04f4c29f8a63ff7f08af4d9a99b5da9c44eface3523e2dd9da7119d85445d42 xsa326/xsa326-4.13-oxenstored-03.patch 438ddd4a5fb1b4c9bb5bc911052cbb84b3fbe2ce4c2559ec112b7e9cd6c3c436 xsa326/xsa326-4.13-oxenstored-04.patch e57d98b53c5b03e34a2e554097b634bbf568d9e336ee0ef7ec703d3ff153dd8a xsa326/xsa326-4.13-oxenstored-05.patch 0b13429993ab1bb5a2a58edeeebfc8bc50987e5d86dddfd6f7108259c31aed97 xsa326/xsa326-4.13-oxenstored-06.patch e5c995a8eeea776e57c9878b612f17f2d8cad2538897d8cf385a9f9570ecd076 xsa326/xsa326-4.13-oxenstored-07.patch 247d2461b80884a1bbc063074b89beb769243f82f0de61fe0a45fb438b4a6d38 xsa326/xsa326-4.13-oxenstored-08.patch 928c1b4d624b73fab33af936ba520402d0010956939ed4f17f42c8a476e7dd02 xsa326/xsa326-4.13-xenstored-01.patch 4918eab37b70914a01b3277d83d56a20a877982fac8c5c9533afcdc8c16c4123 xsa326/xsa326-4.13-xenstored-02.patch 1b2df2030bbb91729b16174026127f1a056e011814e2c0b14e6b9430c00f6c41 xsa326/xsa326-4.13-xenstored-03.patch e05aec57d8cdc1f3151cf6a2cfd8fdf10b9776e3ba564ff934d1dd51692c2f12 xsa326/xsa326-4.13-xenstored-04.patch 197e76c74166fc686fd5b1faf6e025abd9a3e1019ebc7954f63d3561b50aa13c xsa326/xsa326-4.13-xenstored-05.patch 75dd40b36c3c8f43c8387402221caf05c7dd3b842caf88f59a5420039f63279f xsa326/xsa326-4.13-xenstored-06.patch 979224585e94d6ba01c8faf2ce4378993aace0057b2377a3ef65aea522912787 xsa326/xsa326-4.13-xenstored-07.patch ca15279f2d11ca693c1bf4f716835e029f200dab7ad07a12c5d4e9a9199d35ea xsa326/xsa326-4.13-xenstored-08.patch 7a041894a74bed53ed9951b62725535915398a1dd90d825514d338264b80f3cc xsa326/xsa326-4.13-xenstored-09.patch 19273b8a79da99ebfbe166e7eb2ec2ea4e68352d90535cc9e1ca154b6cdcab42 xsa326/xsa326-4.13-xenstored-10.patch 4fa07eb6d5fe1d0d49c1e7ad28e106a57f5785cae3a1ff8fd81a0192f0e1ed70 xsa326/xsa326-4.13-xenstored-11.patch 750984eee04854a09ea053213a7b3d411dc487a45056295e943ff4c5e7c8fa10 xsa326/xsa326-4.13-xenstored-12.patch 1aa1458b82fac3b1dbf71f0ad2d8f29203e95ffc8bbe61e3f8aa0895613cb5f8 xsa326/xsa326-4.13-xenstored-13.patch 791f86db3611e226801bf562cf93a4bcd5dd25070e65b6490d1a520e5570cda4 xsa326/xsa326-4.13-xenstored-14.patch e78ea12c7446a773fb670d674d40cef195bb98f2776c4b43e3737f9cb2742182 xsa326/xsa326-4.13-xenstored-15.patch 3dc9ceed291b414931984952c9bc506e4686cf780a33cd338e1cec254831dc35 xsa326/xsa326-4.13-xenstored-16.patch 19952c1d5a9979cea871323a14ab390e239865e1323193eb46891b365ec4ed9c xsa326/xsa326-4.14-oxenstored-01.patch d29ad0d60c3fb07b0f6004bca7cb2457d88c4dd589ccf60261954905f27da982 xsa326/xsa326-4.14-oxenstored-02.patch 124ebbbd5e240113ee0b17fd45d0b8b8ab2fa185197bee9293be109ff209cedb xsa326/xsa326-4.14-oxenstored-03.patch 8dc1e435dbe7b8ba439117c37e5115784942f0c9724b2976eb9b71eaaf4dacc4 xsa326/xsa326-4.14-oxenstored-04.patch 601dd879e100eb73d13018ba7f36a9e7b1e3d1fa82e0b09ab2e9e5eb9f1d901e xsa326/xsa326-4.14-oxenstored-05.patch 1744a454249f2e93ca3b01442f9efe3ed699764780a58a99b23358f752d46b1c xsa326/xsa326-4.14-oxenstored-06.patch 54cd2c156db841c66a1081c8c66b87442bf47d7e0375a311f786527a17feada5 xsa326/xsa326-4.14-oxenstored-07.patch d6560f5aef9e8e28a4f9773bcc8dd89fd81be1d0a7267b6eba9e9b200c65d4df xsa326/xsa326-4.14-oxenstored-08.patch 981c67cad44b33660e9e0e7fb6877659da05266a31affb54916cdbf2670ae435 xsa326/xsa326-4.14-xenstored-01.patch 0defc4dc7007d67d217de657305c9f3dce84dc8f9905fe82db5460cfdab48e8a xsa326/xsa326-4.14-xenstored-02.patch 3b885e855debf116585f27e5c8a9e6e77575c25b4c729b8b50a9457ea815204e xsa326/xsa326-4.14-xenstored-03.patch 167f178880e606f914bbd6a12cb0e6f56b4551d441d4ca4afa341978973e0fcc xsa326/xsa326-4.14-xenstored-04.patch 101dda8679ca2c22a0cc7c38d8701dfb6a082e7bfc67846cf48d4eb9e35bfdc9 xsa326/xsa326-4.14-xenstored-05.patch ad28cc050cdc76c8db6bacefe5d2084ec5ca2f0023ed6a463b9843f8a835173e xsa326/xsa326-4.14-xenstored-06.patch 29c234ea29713c997e4686a13c8c6ef1eaa12cc0ba6ed49e729922435e3902f3 xsa326/xsa326-4.14-xenstored-07.patch b20de5fd7d00218eb8f1e5014c06bc8397c6f93876a7328c61e99b010ad0814d xsa326/xsa326-4.14-xenstored-08.patch c1568765f386a9d70b9fb59d532c239c7ef9af5fda544518de13f6b16806e099 xsa326/xsa326-4.14-xenstored-09.patch a99500c0d25f61c3bf4a29dc4c3a3d9457476c014c279267e2acea7714f5b92e xsa326/xsa326-4.14-xenstored-10.patch efa8ec1b0e8ff5f3bcb951e1838641480bb67af68fa6dddeed9a6ea6af45ac7b xsa326/xsa326-4.14-xenstored-11.patch fd40770a8cf1365034c76c99c26170ae23055000fbcad389ddad1b2d16426768 xsa326/xsa326-4.14-xenstored-12.patch 905525ab516cdc5104558667810ec0de8626e495ba70d571fc4afc8159768cee xsa326/xsa326-4.14-xenstored-13.patch 4d1037a90a345ae71719abcacee274cbed35d05838659a0a4ab33951ee2418b5 xsa326/xsa326-4.14-xenstored-14.patch bea121de03b5c2e4736020264b949c66bb5c18edfc3f17c5591cb9a42499f469 xsa326/xsa326-4.14-xenstored-15.patch 86376255e4b514ec77ce759321131271b8aa0075ac14116a7d49a36ac5debcc0 xsa326/xsa326-4.14-xenstored-16.patch 30d14a68dcd80fb3f9d4df12aed6897c0ddce12e5155ac844a42b776611769cc xsa326/xsa326-4.15-oxenstored-01.patch 958e12676110ce2ad79103ac69c1b468dc792c40ebeb4a7898878d05661b865f xsa326/xsa326-4.15-oxenstored-02.patch 5f9bd4a0bc12db5c9bf89259f1d2ea76b28308ac6f1a74292284c45d88dadd30 xsa326/xsa326-4.15-oxenstored-03.patch b02baaad64ea00e3e05ab8de2b5c0bb1047792870f57c1974ae9cef43fc3201e xsa326/xsa326-4.15-oxenstored-04.patch 644d84f59dca4d55894ec4851c11d4fc0a15203319a9016fd5476fb4a4c43ca7 xsa326/xsa326-4.15-oxenstored-05.patch 9a93874c9c63bd5a418160d2973517302c926cfaeaa22afab5dbe9da54399697 xsa326/xsa326-4.15-oxenstored-06.patch 7dbf0a1d70aa943ea7b0be69d16027239d7f965e3994a95b47d8822d7b0c3d84 xsa326/xsa326-4.15-oxenstored-07.patch 3809e21e09ff741448b3126bb2fb7979a67e430ca6d5b2a70fd22bd210ca276d xsa326/xsa326-4.15-oxenstored-08.patch b05a06e5f29c97192710376ce89e80962a893827a30911087a6b883ff644cef6 xsa326/xsa326-4.15-xenstored-01.patch e0b3249792c03b9dd0e8820e5db9f6e08b38ea5182a60baff1d9264dcf6f1b16 xsa326/xsa326-4.15-xenstored-02.patch d94f34802f4ed302f44823b1a47c25792b5e1d040d3e04878a53b006339b4654 xsa326/xsa326-4.15-xenstored-03.patch ec414451bbec7229282e4db650b0b298d89c1881720886569b2a1210576398bd xsa326/xsa326-4.15-xenstored-04.patch ab25a8817732f5e9f4dd3cb3cf2130de50dbe39d284c0ac80ce210b738a6a3fa xsa326/xsa326-4.15-xenstored-05.patch a7c0151d34d7b340ccb02780dfc3267e654b4423cdfff32650577a4da519677e xsa326/xsa326-4.15-xenstored-06.patch a4933e62317428fc8d8a5ba12a653613ee3e54ad89f26831736f0b12bb18d68e xsa326/xsa326-4.15-xenstored-07.patch 0b365ea9d0dfd2b2773b42a19826e369bb6e79c88f118ec41a80570be93d2c26 xsa326/xsa326-4.15-xenstored-08.patch dd04f56f28a6943a141f425ce3b45ebc370c559e33dab2db48f89d077cde24bf xsa326/xsa326-4.15-xenstored-09.patch d2260693e4d94b4707459bf277c6a23f322fcd3fa58091cdac896b39a61a890f xsa326/xsa326-4.15-xenstored-10.patch 97dfa89180a20cc3e3d03edaf2cc48a343d4f07e7982b5ee1e4c61afa3103a6f xsa326/xsa326-4.15-xenstored-11.patch acd6041a412fc584ccd9376f1e17f51cf40708ec3fa1c0ce64a9c9cdb393e727 xsa326/xsa326-4.15-xenstored-12.patch ef00a409abfeb078a1e29abf3bd12c017440cb4db09b00a7cab875bb7a920788 xsa326/xsa326-4.15-xenstored-13.patch e33042c8f63426a3ef75a884b00aaddd7f143324efbb216dae92155b3a6d23c8 xsa326/xsa326-4.15-xenstored-14.patch e2ab4d46a6d836f485a062eddae2ea3e554da55c68551db22c40b19edc366a56 xsa326/xsa326-4.15-xenstored-15.patch fb5eac62c4dd11e1a7e998a1b293e1b36998ec7540137790c66ee3e756ee7d7b xsa326/xsa326-4.15-xenstored-16.patch 22188213c6caf1a9f84e0babdb3c35e9e828424e3bfced237036856291ec86c5 xsa326/xsa326-4.16-oxenstored-01.patch 631891588ca285eb44ebc393a13bfb7fd3da473db031aca612770ccb6e502447 xsa326/xsa326-4.16-oxenstored-02.patch 32f43582d2f25c46a837f36cca54d85a14afe0c04489597fe564bc688ead1dba xsa326/xsa326-4.16-oxenstored-03.patch 9ea1efcf2260b2170318467a1ae99e898024a3ee139b61570838115a1de8b956 xsa326/xsa326-4.16-oxenstored-04.patch 03eb654ebacfef7e3a91234deb7bc4687f80762ca68b00b7fe23eb273ef8b9f1 xsa326/xsa326-4.16-oxenstored-05.patch 5b771df5d23ecd6a66de93b6d5a5ab3821a3f57770d6a8d9473eb18f4bf1ee9c xsa326/xsa326-4.16-oxenstored-06.patch eddf43db08e7c46a15f589f7be3ac64c3967c345b520dd5b4813117332da4b1a xsa326/xsa326-4.16-oxenstored-07.patch 8c5b11c0a0af8f5f9dff4d64482377f0706c455e65a106f309c9ad56eea1adc6 xsa326/xsa326-4.16-oxenstored-08.patch a4542bd9278ac83c0e633bbff7d3f446a03b4dac70269c0f079c980d58d9a5ae xsa326/xsa326-4.16-xenstored-01.patch 6f7b7d523b0b085d2b7f371ec4477859212a265ae9a52f1f8c8f54e62f02a05e xsa326/xsa326-4.16-xenstored-02.patch 2b9a3f2e1764fedc08aa335603fe7c253e67496534a29ffae8fe6e9c1ba0ce19 xsa326/xsa326-4.16-xenstored-03.patch 0fc9759eb7e6504b9f54090b5d249d602968df8db6de6dff32a84a9134317e72 xsa326/xsa326-4.16-xenstored-04.patch 6962f7381bc11df4fdccb89013968c583c708677d14f5ef57c07e945eaa7bcc6 xsa326/xsa326-4.16-xenstored-05.patch d30bdd689b0a32b09ec8916917fe5297a1b3dd2f6c93e39fad2864fcd862b4bf xsa326/xsa326-4.16-xenstored-06.patch ecc07fc6f1ae78ea8455344e785d1c359fe0c5b3c4be97346812b5aa5dd3a19f xsa326/xsa326-4.16-xenstored-07.patch a0f0316c955a7a8a8e74509d9db052ab1560dd132b2e931121368338cd65e5b5 xsa326/xsa326-4.16-xenstored-08.patch ccced498d856519df82836acb7dccd155b858c62cdab84d95e6aac12ca7e9963 xsa326/xsa326-4.16-xenstored-09.patch 5bc89ffba64be315264cf695a62e27ebb55879eff9d97e8bf0d71ee01eff78af xsa326/xsa326-4.16-xenstored-10.patch c25bd21bc05f93622dd9025e787ba60955dc6df0c74db915acd821ab7ecea733 xsa326/xsa326-4.16-xenstored-11.patch 5eec3bb81c5d3a3588bf30a754f630b3d08628c66c35a8d00823d1726591bae0 xsa326/xsa326-4.16-xenstored-12.patch 6f484f7c237c7e92d3ff225e4732b0496a5e899de02812fedfbbcdc5712fff03 xsa326/xsa326-4.16-xenstored-13.patch e8382b1f37177d3dca5e66adce13e1cec4a320b0865f09535bf51a1d4662bb1c xsa326/xsa326-4.16-xenstored-14.patch 274708be8a5951eaaa2adb61974c3a1529c35dc1f293cc2e9d4759a2d8e20693 xsa326/xsa326-4.16-xenstored-15.patch cebadbd9b303551e0208eaefd831608c47056d27f05dcea97cee3cd761eb3f70 xsa326/xsa326-4.16-xenstored-16.patch 16248584282597dd5b405c8ced0d7d8ad644b68b9dbe13dbaa65ad9080fbbbc4 xsa326/xsa326-oxenstored-01.patch 8f1346250c54accdd4da3cbfb29c98bdf8511974e75e6433374e772c4a7f3b88 xsa326/xsa326-oxenstored-02.patch bc59dbfbd41a95d73c81ecd011c3a3d2cc62f373e1ea0f79792a78572ca06af1 xsa326/xsa326-oxenstored-03.patch b3e383389d3743809422a4e5a364bad10249531bd64d0af2873294cb9abbcb10 xsa326/xsa326-oxenstored-04.patch ad9160630efefece9eb59e144e01911dc69d625acca2a5562a1640bc8823bcf0 xsa326/xsa326-oxenstored-05.patch 4279925ed16d89d3f26ecb4a71d2215547088c8f733c4bce596e29b1916e01cf xsa326/xsa326-oxenstored-06.patch de8faa4b114faef576024da5f99b7a961efd9f7de5fa6ba60160fe932af36494 xsa326/xsa326-oxenstored-07.patch b4582a663bf5cc8ef7ab5dccaab1e5b686da6584a5cab3339319c66726535e8e xsa326/xsa326-xenstored-01.patch 8a5699af6c6d0497f6b16030db31c59cf8b172c21a78d1d2d36f0c590a5f2319 xsa326/xsa326-xenstored-02.patch b8a9286af5d14e35a9ec541afc20b2ca40550ac0a6e83fc012be396ba42a939b xsa326/xsa326-xenstored-03.patch 10d4c34475550c7dcf808747a4a44ce74ed42d8c0b0c209c6dc318c397a4ba8f xsa326/xsa326-xenstored-04.patch 3fba2fc49d5af5466452d4ddfa730194686ff8dbb5a96b29e4d89032e0135a78 xsa326/xsa326-xenstored-05.patch 57e008a2a8921186b797abe068f0ef9d39ea23dcd0f4cb8a4c20a022d17aff77 xsa326/xsa326-xenstored-06.patch da69f7577dd38fc109e6271d583b3cd19197b6777e70191e079e2e120631d6cf xsa326/xsa326-xenstored-07.patch a2ab8f1307609dcfb66abf12c82e8f273f12e1c92f05b350933a73794b02ad73 xsa326/xsa326-xenstored-08.patch 417baecd2b6e10456ef6501619ba617e2c24a32bcad025df3f683f17334e42f9 xsa326/xsa326-xenstored-09.patch 2ccd4bd9524971d140568d9d0cee49931bcf85596744a13ac3520e1e67c71fd8 xsa326/xsa326-xenstored-10.patch bf119e0c13e4f77d1029410be71987b51c48eb5bfa72c445394e2e2eea004e9c xsa326/xsa326-xenstored-11.patch 70dadf62eca8bd119ff84d4efdb0c863f8ddaf58e25e29ef6d3b7bc92fc2f0fa xsa326/xsa326-xenstored-12.patch 6fdd871d77b699fbb4df8efc18fd772131a216e9ac9387832ae66a3af6d58e07 xsa326/xsa326-xenstored-13.patch 49a22d518921be7688cbe5dced9c842b3f0c67f678f3d113bbe5fce36a59d775 xsa326/xsa326-xenstored-14.patch a8ef297722bb4c5778d3e0f80ab16cdb6024cdb3a349789182d2167409cf1aa2 xsa326/xsa326-xenstored-15.patch bf20cd4808cba1506ed7404af050d9b05619b48d2d8eda7e166050540b8f25e2 xsa326/xsa326-xenstored-16.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNg+5QMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZrb0IAKWuWJpPThwmSEFjzNMwdQ+L/xip0AEnl3aVC5UD DEGtB7mETVnwsUYZYee9+OEWOjHJJ//4eENeaziGvzfPG5scGUjcdMeNrIhPtdqB jgjrjfE/z+pTQvbQhu5vvjR/m0K+PHgBejiSfKC7K87+yhcuTaMFoUejBoQ2ZzZ0 h5UfEiTktdWRTwQ4HrofgJKKIfhXGBRRXJbzNysNZ2k8eSpq6ALjgEPpmhalBS/t n1UPKGyToXhVnAwDkV8Bo54EOjhkppIwYuOiGEi4O+weHIq0Oqi9pqpkzCC5QO3q muUGHYRjJ7yDWzo+gpr27O8949gPXPfDMTKLiWYCXGaw4CA= =Eyn8 -----END PGP SIGNATURE-----
Related news
Debian Linux Security Advisory 5272-1 - Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks.