-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-42321 / XSA-418 version 2 Xenstore: Guests can crash xenstored via exhausting the stack UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= Xenstored is using recursion for some Xenstore operations (e.g. for deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored. IMPACT ====== A malicious guest creating very deep nesting levels of Xenstore nodes might be able to crash xenstored, resulting in a Denial of Service (DoS) of Xenstore. This will inhibit creation of new guests or changing the configuration of already running guests. VULNERABLE SYSTEMS ================== All versions of Xen are affected. Only systems running the C variant of Xenstore (xenstored or xenstore- stubdom) are vulnerable. Systems using the Ocaml variant of Xenstore (oxenstored) are not vulnerable. MITIGATION ========== Running oxenstored instead of xenstored will avoid the vulnerability. CREDITS ======= This issue was discovered by David Vrabel of Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa418/xsa418-??.patch xen-unstable xsa418/xsa418-4.16-??.patch Xen 4.16.x xsa418/xsa418-4.15-??.patch Xen 4.15.x xsa418/xsa418-4.14-??.patch Xen 4.14.x - 4.13.x $ sha256sum xsa418* xsa418*/* dba8cf354728d5b9248d9649d042835b2f5f96dd995d0fe23a07a157cba68500 xsa418.meta d13f084bbca78d35b991fe5347297d13f77b4e49ad816344363a61a8335e6632 xsa418/xsa418-01.patch ac9acb8cda844e3873ec0a77fb9bd58581d6f1084f8a38fa494bff548c9232ae xsa418/xsa418-02.patch bc29743d71eed3ba41d1ec732e5c0011107dcc06d945ec554ef04314e0272898 xsa418/xsa418-03.patch bba67ab17c8c132258b0cfbc701e2b79ae6ea5ef507f4c09e103c19a9c729b03 xsa418/xsa418-4.14-01.patch 79eadfee1eeae340256331b5e189f1c8514106dae5ca208b0f4965ba6f6e9e51 xsa418/xsa418-4.14-02.patch 6a96c8636fc3c2a1539b9c21d3af4e0a68124dc4a7219c5eacd685f7d0543dd7 xsa418/xsa418-4.14-03.patch fe4ad75c34ceba6427c6f2ea7ad86af4a25ba3f5f9dc42fdd4ef7bf4fa60d39d xsa418/xsa418-4.14-04.patch 7884b7850d991d098409a3a9a27050f3d34486a3b459e0c2047d1dc43e13515f xsa418/xsa418-4.14-05.patch 27c070655bf27a2ca84506703d76ab5b3c9fd22155a29af5c882013cd5580640 xsa418/xsa418-4.14-06.patch 313707f2b0738680015a38ec50d93f149c386c72c809cd17de8f52e2d883b8e0 xsa418/xsa418-4.15-01.patch 4628506b3f4407034b7c6e0159a6719225f6a4c70fe12b30375f515bb6ce5d93 xsa418/xsa418-4.15-02.patch a59fed27d614de06a8d508da6345dda7260d2ac7ff9762372b34c4e6a5dfa432 xsa418/xsa418-4.15-03.patch 99ea45e5f877afe01af189ebfe3114edc8d3283829424adc53760d385b8a202e xsa418/xsa418-4.15-04.patch dd10d3c3af942fd941604029a5b5262ae6d8f7c7a9071b243904bc34c8d14ab2 xsa418/xsa418-4.15-05.patch 1a50edee9d3a04a982ba22bcf150475f396494c03b4b6eaf18b45561f0d005fc xsa418/xsa418-4.15-06.patch 042cf55472e911b871a8062613b604e7a4641505bae4e6505a176b2976906739 xsa418/xsa418-4.15-07.patch 669e8fc1637b92846ad7b72eb510c05920b267bc54340e83b3f1c8df2092ecbc xsa418/xsa418-4.16-01.patch b382431343ab873d6ab88557b09891dc821a497200c1b61e7b64286bba899ea9 xsa418/xsa418-4.16-02.patch 27737bfa0d3e475ba0e468ab3dcf0274bde40948e5f669f179d2964f6cfab4cf xsa418/xsa418-4.16-03.patch 5677156c12063d0cbad273d45800bb25176308ffd7b660d73aac3a36e4099055 xsa418/xsa418-4.16-04.patch 3c3b0282cbc50da485f6b7a871e0cc318725db2b3debf098b0fc6d0598488a48 xsa418/xsa418-4.16-05.patch d871d0e38f6db4cc86591c63cb37c63aed9ed0ba88429236eb91d142090da529 xsa418/xsa418-4.16-06.patch 145a98f2540b5c17c7d262e1df80103c4478d622a4eeba07d1566679d81a4542 xsa418/xsa418-4.16-07.patch 70874f345806b376fea1b02b0ed4d493d792a43f5c6fc29c13e0658350086f92 xsa418/xsa418-04.patch 8d94a7c6e9e484569c6eb98f274fa7489e68a9f16d12092839bb519cfc32a7b3 xsa418/xsa418-05.patch e5ecc6d3756a485114b57e0d02ff53d6eb3b312fac117a99c05bc392faa45d27 xsa418/xsa418-06.patch 77695fa2f1bfeee051d4a0e0d1e0b654f5177ce104a72635c2f1bafb1d6631cb xsa418/xsa418-07.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNg+6sMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ0wAH/36wusPv68bogxxnnNwL6eFmZZ1Rd90mAMfw6Qyt OYo3tOWhnZVVH3uC84S7s/zWsZWJaaWxTnGW03Gxnep3GstufnWnV0m/VsmXsI9L /W0C23SgWxao+Bc819TRWF3JTcSb/wdbBbgHOJbu8gzLQc7T8xsgUeOr34fpAtZv qr2fExhKrlxdWYodDJLdZryZRBQ1ZKbO+Rihpv23FKst4HhlQvCvWr99oK6/ubkp 2mzLjeotWxT2G+RnQNJp4JqgXaYr6972/Q5h75lCxQZWxw7baIS62gTaFfK8cD4p j4gVo2zYtMBivUZngmTF36iRN743NAOz3HsvU1pEphbc24o= =6SQq -----END PGP SIGNATURE-----