Debian Xen vulnerabilities

CVE-2023-46836 [MEDIUM] CVE-2023-46836: xen - The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return St... The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was

CVE-2023-34321 [LOW] CVE-2023-34321: xen - Arm provides multiple helpers to clean & invalidate the cache for a given region... Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalida

CVE-2023-46837 [LOW] CVE-2023-46837: xen - Arm provides multiple helpers to clean & invalidate the cache for a given region... Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalida

CVE-2022-23033 [HIGH] CVE-2022-23033: xen - arm: guest_physmap_remove_page not removing the p2m mappings The functions to re... arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry with

CVE-2022-33745 [HIGH] CVE-2022-33745: xen - insufficient TLB flush for x86 PV guests in shadow mode For migration as well as... insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable

CVE-2022-26365 [HIGH] CVE-2022-26365: linux - Linux disk/nic frontends data leaks T[his CNA information record relates to mult... Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sh

CVE-2022-42335 [HIGH] CVE-2022-42335: xen - x86 shadow paging arbitrary pointer dereference In environments where host assis... x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handling it is possible for a guest with a PCI device passed through to cause th

CVE-2022-42320 [HIGH] CVE-2022-42320: xen - Xenstore: Guests can get access to Xenstore nodes of deleted domains Access righ... Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later. There is a small time w

CVE-2022-42330 [HIGH] CVE-2022-42330: xen - Guests can cause Xenstore crash via soft reset When a guest issues a "Soft Reset... Guests can cause Xenstore crash via soft reset When a guest issues a "Soft Reset" (e.g. for performing a kexec) the libxl based Xen toolstack will normally perform a XS_RELEASE Xenstore operation. Due to a bug in xenstored this can result in a crash of xenstored. Any other use of XS_RELEASE will have the same impact. Scope: local bookworm: resolved (fixed in 4.17.0+24-g

CVE-2022-42333 [HIGH] CVE-2022-42333: xen - x86/HVM pinned cache attributes mis-handling T[his CNA information record relate... x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected

CVE-2022-26360 [HIGH] CVE-2022-26360: xen - IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information ... IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. The

CVE-2022-26361 [HIGH] CVE-2022-26361: xen - IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information ... IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. The

CVE-2022-26359 [HIGH] CVE-2022-26359: xen - IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information ... IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. The

CVE-2022-42327 [HIGH] CVE-2022-42327: xen - x86: unintended memory sharing between guests On Intel systems that support the ... x86: unintended memory sharing between guests On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests. Scope: local bookworm: resolved (fixed in 4.16.2+90-g0d39a6

CVE-2022-33742 [HIGH] CVE-2022-33742: linux - Linux disk/nic frontends data leaks T[his CNA information record relates to mult... Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sh

CVE-2022-42334 [HIGH] CVE-2022-42334: xen - x86/HVM pinned cache attributes mis-handling T[his CNA information record relate... x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected

CVE-2022-42332 [HIGH] CVE-2022-42332: xen - x86 shadow plus log-dirty mode use-after-free In environments where host assiste... x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To migrate or snapshot guests, Xen additionally ru

CVE-2022-33741 [HIGH] CVE-2022-33741: linux - Linux disk/nic frontends data leaks T[his CNA information record relates to mult... Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sh

CVE-2022-33740 [HIGH] CVE-2022-33740: linux - Linux disk/nic frontends data leaks T[his CNA information record relates to mult... Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sh

CVE-2022-26358 [HIGH] CVE-2022-26358: xen - IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information ... IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. The