Debian Xen vulnerabilities

CVE-2022-23035 [MEDIUM] CVE-2022-23035: xen - Insufficient cleanup of passed-through device IRQs The management of IRQs associ... Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be ret

CVE-2022-33748 [MEDIUM] CVE-2022-33748: xen - lock order inversion in transitive grant copy handling As part of XSA-226 a miss... lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. W

CVE-2022-42310 [MEDIUM] CVE-2022-42310: xen - Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes i... Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes without a valid parent can be made perma

CVE-2022-21166 [MEDIUM] CVE-2022-21166: intel-microcode - Incomplete cleanup in specific special register write operations for some Intel(... Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Scope: local bookworm: resolved (fixed in 3.20220510.1) bullseye: resolved (fixed in 3.20220510.1~deb11u1) forky: resolved (fixed in 3.20220510.1) sid: resolved (fixed i

CVE-2022-42314 [MEDIUM] CVE-2022-42314: xen - Xenstore: guests can let run xenstored out of memory T[his CNA information recor... Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large

CVE-2022-42322 [MEDIUM] CVE-2022-42322: xen - Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA inf... Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an

CVE-2022-26364 [MEDIUM] CVE-2022-26364: xen - x86 pv: Insufficient care with non-coherent mappings T[his CNA information recor... x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have

CVE-2022-42325 [MEDIUM] CVE-2022-42325: xen - Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA... Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encou

CVE-2022-42319 [MEDIUM] CVE-2022-42319: xen - Xenstore: Guests can cause Xenstore to not free temporary memory When working on... Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of the request from the ring

CVE-2022-23825 [MEDIUM] CVE-2022-23825: xen - Aliases in the branch predictor may cause some AMD processors to predict the wro... Aliases in the branch predictor may cause some AMD processors to predict the wrong branch type potentially leading to information disclosure. Scope: local bookworm: resolved (fixed in 4.16.2-1) bullseye: resolved (fixed in 4.14.5+24-g87d90d511c-1) forky: resolved (fixed in 4.16.2-1) sid: resolved (fixed in 4.16.2-1) trixie: resolved (fixed in 4.16.2-1)

CVE-2022-26356 [MEDIUM] CVE-2022-26356: xen - Racy interactions between dirty vram tracking and paging log dirty hypercalls Ac... Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the st

CVE-2022-42313 [MEDIUM] CVE-2022-42313: xen - Xenstore: guests can let run xenstored out of memory T[his CNA information recor... Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large

CVE-2022-21123 [MEDIUM] CVE-2022-21123: intel-microcode - Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may... Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Scope: local bookworm: resolved (fixed in 3.20220510.1) bullseye: resolved (fixed in 3.20220510.1~deb11u1) forky: resolved (fixed in 3.20220510.1) sid: resolved (fixed in 3.20220510.1) t

CVE-2022-42311 [MEDIUM] CVE-2022-42311: xen - Xenstore: guests can let run xenstored out of memory T[his CNA information recor... Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large

CVE-2022-42336 [LOW] CVE-2022-42336: xen - Mishandling of guest SSBD selection on AMD hardware The current logic to set SSB... Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to coordinate it, such logic relies on using a pe

CVE-2022-33747 [LOW] CVE-2022-33747: xen - Arm: unbounded memory consumption for 2nd-level page tables Certain actions requ... Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are

CVE-2021-28704 [HIGH] CVE-2021-28704: xen - PoD operations on misaligned GFNs T[his CNA information record relates to multip... PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pa

CVE-2021-28708 [HIGH] CVE-2021-28708: xen - PoD operations on misaligned GFNs T[his CNA information record relates to multip... PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pa

CVE-2021-28707 [HIGH] CVE-2021-28707: xen - PoD operations on misaligned GFNs T[his CNA information record relates to multip... PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pa

CVE-2021-28702 [HIGH] CVE-2021-28702: xen - PCI devices with RMRRs not deassigned correctly Certain PCI devices in a system ... PCI devices with RMRRs not deassigned correctly Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR"). These are typically used for platform tasks such as legacy USB emulation. If such a device is passed through to a guest, then on guest shutdown the device is not properly deassigned. The IOMMU