Debian Xen vulnerabilities

CVE-2022-26357 [HIGH] CVE-2022-26357: xen - race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardw... race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked

CVE-2022-42309 [HIGH] CVE-2022-42309: xen - Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malici... Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes

CVE-2022-42317 [MEDIUM] CVE-2022-42317: xen - Xenstore: guests can let run xenstored out of memory T[his CNA information recor... Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large

CVE-2022-42324 [MEDIUM] CVE-2022-42324: xen - Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or 31 b... Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32_t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates off the most significant bit, and then creates unsigned/signed confusion in the remainder.

CVE-2022-42312 [MEDIUM] CVE-2022-42312: xen - Xenstore: guests can let run xenstored out of memory T[his CNA information recor... Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large

CVE-2022-42318 [MEDIUM] CVE-2022-42318: xen - Xenstore: guests can let run xenstored out of memory T[his CNA information recor... Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large

CVE-2022-42323 [MEDIUM] CVE-2022-42323: xen - Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA inf... Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an

CVE-2022-23034 [MEDIUM] CVE-2022-23034: xen - A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference c... A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapp

CVE-2022-42331 [MEDIUM] CVE-2022-42331: xen - x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the ... x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. Scope: local bookworm: resolved (fixed in 4.1

CVE-2022-42321 [MEDIUM] CVE-2022-42321: xen - Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using... Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e.g. for deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored. Scope: local bookworm: resolved (fixed in 4.16.2+90-g0d39a6d1ae-1) bullseye: re

CVE-2022-21125 [MEDIUM] CVE-2022-21125: intel-microcode - Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processor... Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Scope: local bookworm: resolved (fixed in 3.20220510.1) bullseye: resolved (fixed in 3.20220510.1~deb11u1) forky: resolved (fixed in 3.20220510.1) sid: resolved (fixed in 3.20220510

CVE-2022-23824 [MEDIUM] CVE-2022-23824: xen - IBPB may not prevent return branch predictions from being specified by pre-IBPB ... IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure. Scope: local bookworm: resolved (fixed in 4.16.2+90-g0d39a6d1ae-1) bullseye: resolved (fixed in 4.14.5+94-ge49571868d-1) forky: resolved (fixed in 4.16.2+90-g0d39a6d1ae-1) sid: resolved (fixed in 4.16.2+90-g0d39a6d1ae-1) trixie:

CVE-2022-33746 [MEDIUM] CVE-2022-33746: xen - P2M pool freeing may take excessively long The P2M pool backing second level add... P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing. Scope: local bookworm: resolved (fixed in 4.16.2+90-g0d39a6d1ae-1) bullseye:

CVE-2022-42316 [MEDIUM] CVE-2022-42316: xen - Xenstore: guests can let run xenstored out of memory T[his CNA information recor... Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large

CVE-2022-42326 [MEDIUM] CVE-2022-42326: xen - Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA... Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encou

CVE-2022-42315 [MEDIUM] CVE-2022-42315: xen - Xenstore: guests can let run xenstored out of memory T[his CNA information recor... Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large

CVE-2022-27672 [MEDIUM] CVE-2022-27672: linux - When SMT is enabled, certain AMD processors may speculatively execute instructio... When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. Scope: local bookworm: resolved (fixed in 6.1.12-1) bullseye: open forky: resolved (fixed in 6.1.12-1) sid: resolved (fixed in 6.1.12-1) trixie: resolved (fixed in 6.1.12-1

CVE-2022-26362 [MEDIUM] CVE-2022-26362: xen - x86 pv: Race condition in typeref acquisition Xen maintains a type reference cou... x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race

CVE-2022-29900 [MEDIUM] CVE-2022-29900: linux - Mis-trained branch predictions for return instructions may allow arbitrary specu... Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions. Scope: local bookworm: resolved (fixed in 5.18.14-1) bullseye: resolved (fixed in 5.10.136-1) forky: resolved (fixed in 5.18.14-1) sid: resolved (fixed in 5.18.14-1) trixie: resolved (fixed in 5.18.14-1)

CVE-2022-26363 [MEDIUM] CVE-2022-26363: xen - x86 pv: Insufficient care with non-coherent mappings T[his CNA information recor... x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have