xen-4.18.0_02-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13442 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z xen-4.18.0_02-1.1 on GA media These are all security issues fixed in the xen-4.18.0_02-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13442 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13442 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-34323/ SUSE CVE CVE-2023-34323 page https://www.suse.com/security/cve/CVE-2023-34325/ SUSE CVE CVE-2023-34325 page https://www.suse.com/security/cve/CVE-2023-34326/ SUSE CVE CVE-2023-34326 page https://www.suse.com/security/cve/CVE-2023-34327/ SUSE CVE CVE-2023-34327 page https://www.suse.com/security/cve/CVE-2023-46835/ SUSE CVE CVE-2023-46835 page https://www.suse.com/security/cve/CVE-2023-46836/ SUSE CVE CVE-2023-46836 page openSUSE Tumbleweed xen-4.18.0_02-1.1 xen-devel-4.18.0_02-1.1 xen-doc-html-4.18.0_02-1.1 xen-libs-4.18.0_02-1.1 xen-tools-4.18.0_02-1.1 xen-tools-domU-4.18.0_02-1.1 xen-tools-xendomains-wait-disk-4.18.0_02-1.1 xen-4.18.0_02-1.1 as a component of openSUSE Tumbleweed xen-devel-4.18.0_02-1.1 as a component of openSUSE Tumbleweed xen-doc-html-4.18.0_02-1.1 as a component of openSUSE Tumbleweed xen-libs-4.18.0_02-1.1 as a component of openSUSE Tumbleweed xen-tools-4.18.0_02-1.1 as a component of openSUSE Tumbleweed xen-tools-domU-4.18.0_02-1.1 as a component of openSUSE Tumbleweed xen-tools-xendomains-wait-disk-4.18.0_02-1.1 as a component of openSUSE Tumbleweed When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default). CVE-2023-34323 openSUSE Tumbleweed:xen-4.18.0_02-1.1 openSUSE Tumbleweed:xen-devel-4.18.0_02-1.1 openSUSE Tumbleweed:xen-doc-html-4.18.0_02-1.1 openSUSE Tumbleweed:xen-libs-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-domU-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-xendomains-wait-disk-4.18.0_02-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-34323.html CVE-2023-34323 https://bugzilla.suse.com/1215744 SUSE Bug 1215744 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack (root in a priviledged domain). At least one issue has been reported to the Xen Security Team that allows an attacker to trigger a stack buffer overflow in libfsimage. After further analisys the Xen Security Team is no longer confident in the suitability of libfsimage when run against guest controlled input with super user priviledges. In order to not affect current deployments that rely on pygrub patches are provided in the resolution section of the advisory that allow running pygrub in deprivileged mode. CVE-2023-4949 refers to the original issue in the upstream grub project ("An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub's XFS file system implementation.") CVE-2023-34325 refers specifically to the vulnerabilities in Xen's copy of libfsimage, which is decended from a very old version of grub. CVE-2023-34325 openSUSE Tumbleweed:xen-4.18.0_02-1.1 openSUSE Tumbleweed:xen-devel-4.18.0_02-1.1 openSUSE Tumbleweed:xen-doc-html-4.18.0_02-1.1 openSUSE Tumbleweed:xen-libs-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-domU-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-xendomains-wait-disk-4.18.0_02-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-34325.html CVE-2023-34325 https://bugzilla.suse.com/1215747 SUSE Bug 1215747 The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions. CVE-2023-34326 openSUSE Tumbleweed:xen-4.18.0_02-1.1 openSUSE Tumbleweed:xen-devel-4.18.0_02-1.1 openSUSE Tumbleweed:xen-doc-html-4.18.0_02-1.1 openSUSE Tumbleweed:xen-libs-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-domU-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-xendomains-wait-disk-4.18.0_02-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-34326.html CVE-2023-34326 https://bugzilla.suse.com/1215746 SUSE Bug 1215746 [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. CVE-2023-34327 openSUSE Tumbleweed:xen-4.18.0_02-1.1 openSUSE Tumbleweed:xen-devel-4.18.0_02-1.1 openSUSE Tumbleweed:xen-doc-html-4.18.0_02-1.1 openSUSE Tumbleweed:xen-libs-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-domU-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-xendomains-wait-disk-4.18.0_02-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-34327.html CVE-2023-34327 https://bugzilla.suse.com/1215748 SUSE Bug 1215748 The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks. CVE-2023-46835 openSUSE Tumbleweed:xen-4.18.0_02-1.1 openSUSE Tumbleweed:xen-devel-4.18.0_02-1.1 openSUSE Tumbleweed:xen-doc-html-4.18.0_02-1.1 openSUSE Tumbleweed:xen-libs-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-domU-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-xendomains-wait-disk-4.18.0_02-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-46835.html CVE-2023-46835 https://bugzilla.suse.com/1216654 SUSE Bug 1216654 The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen. CVE-2023-46836 openSUSE Tumbleweed:xen-4.18.0_02-1.1 openSUSE Tumbleweed:xen-devel-4.18.0_02-1.1 openSUSE Tumbleweed:xen-doc-html-4.18.0_02-1.1 openSUSE Tumbleweed:xen-libs-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-domU-4.18.0_02-1.1 openSUSE Tumbleweed:xen-tools-xendomains-wait-disk-4.18.0_02-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-46836.html CVE-2023-46836 https://bugzilla.suse.com/1216807 SUSE Bug 1216807