Headline
CVE-2022-33747
Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest’s P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-33747 / XSA-409 version 3 Arm: unbounded memory consumption for 2nd-level page tables UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Certain actions require e.g. removing pages from a guest’s P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings. IMPACT ====== A malicious guest could cause a Denial of Service, preventing any system operation requiring further allocation of Xen memory, including creating new guests. NB however that memory exhaustion by itself shouldn’t cause either Xen or properly-written guests to crash. VULNERABLE SYSTEMS ================== All versions of Xen are affected. Only Arm systems are vulnerable. x86 systems are not vulnerable. MITIGATION ========== There is no known mitigation. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. Note further that the patches for this XSA depend on the patches for XSA-410. xsa409/*.patch xen-unstable xsa409-4.16/*.patch Xen 4.16.x xsa409-4.15/*.patch Xen 4.15.x xsa409-4.14/*.patch Xen 4.14.x xsa409-4.13/*.patch Xen 4.13.x $ sha256sum xsa409* xsa409*/* a211afb31199a8edf189928f5285b6a58ce35aac991ae3f708b07274ad5f1082 xsa409.meta 96cc260fbf3c2bedd17d61080ba536791f1116cd7dcc6a172dbcccc452e66974 xsa409-4.13/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch f94376d12757312175e19b6c51c56bcb3e21055f729440eb9112bee9fc44cd65 xsa409-4.13/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch b52ca6538a0525dc1638391ee032a7aedced31cc3bcdc8efea02d975813fa251 xsa409-4.13/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch 5a59740c398804950ce99102ae2741d5d539313e4a24d0727926d2b4965f148e xsa409-4.13/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch b7c3438a4c6a4957b0e9b911419638c8719550c91db4587660a6d498a73747ae xsa409-4.14/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch 5a01d80c7157feeeb3374c221d306bd98a134a99597ebfdeee5d62df47e60f27 xsa409-4.14/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch d9b4385c1d55f9c758a108368ef5fbfc86ab2ff532314f88245cc1fce4f95ea2 xsa409-4.14/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch 96456aea63d6471888b5364330e69c15ffd2ed055200cd286fb59cab379c3905 xsa409-4.14/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch 4c31fd8b3f346e6e9834c33e61037d122b802a83dceec168ed5e699566ca01e2 xsa409-4.15/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch 4b9b1ba9c5c7a644268500906b628664ea0630777653f86e62faf85d9e004b8c xsa409-4.15/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch 04a097e055e7faf9163e1e7105bfb3a78782fa6e9c3025597725a198d85d9887 xsa409-4.15/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch 9b59622a9c00d75fe3f57b20d286e91df3589855d55e0bad83c64145002c3bc7 xsa409-4.15/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch 2ce57902cff4ad61432b61bf8a10dcc699b88b6b9a02c6e7c51c720b276ec39d xsa409-4.16/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch 18ad838d9c4a6da8890d5d6b3165000e21d8db022bc743989dfda6cc43a7686c xsa409-4.16/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch 201bf6c15d0380f4588a12f33bff90f05fe3c8da75dcb0801063216bedcc00c7 xsa409-4.16/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch f8cea9b75636e73ffffb88b18d80f60ab9ca47856232f1cff787d5d0a1742106 xsa409-4.16/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch 62be1c9896e1a0563abbe515bd50e117147a274b3bae0ce062d1e86cdd535b61 xsa409/0001-libxl-docs-Add-per-arch-extra-default-paging-memory.patch 6bcd3cdd9eb998f5714b1c44d3cf1aaa3b1f3615ef8ccb530cf804638b18c9e3 xsa409/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch b4740035de11fc0b4b7bcb281b288b1972ef3b97649ff3e61072384aeddf864b xsa409/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch ac7af4fea2fa84384fd65308ee8cb50470515a96d2160e467867c8bb766b580a xsa409/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team’s decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community’s agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNFS/cMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZKqsIAMobhnQXNUKRUiS1TFrV5NhbUdx0r0PHX3alf3r0 ZUk3mQyq3lKK6MkXB0bpkgq95fv6dw9SIriPRZdivVBK7Yb2VBImdZ/YyXoU5JWN 3EPO8Svxzm8WCntk9smjwNix2SByWSVjQfROjrrgihWLbX4n0IQkOLFlvVgllJmK ETc0q3bMKEODH7+kkmrTmT+nomlHbuq7HHAZk0jyw/hVs1JdRMN9TXBBdLjLOYFe /hsDiLWwK51L7ehPZB4d/+rLQYo27chGwNGQwDDXXiWWhMmXJJCO3MhrB4NEt0JE P4DAkmh2OXh6QyuZPTH48ADbAdL7ecq2atrM6HD2oulwFCI= =/zM/ -----END PGP SIGNATURE-----
Related news
Gentoo Linux Security Advisory 202402-7 - Multiple vulnerabilities have been found in Xen, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 4.16.6_pre1 are affected.
Debian Linux Security Advisory 5272-1 - Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks.