-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2023-34323 / XSA-440 version 4 xenstored: A transaction conflict can crash C Xenstored UPDATES IN VERSION 4 ==================== Normalize version tags ISSUE DESCRIPTION ================= When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default). IMPACT ====== A malicious guest could craft a transaction that will hit the C Xenstored bug and crash it. This will result to the inability to perform any further domain administration like starting new guests, or adding/removing resources to or from any existing guest. VULNERABLE SYSTEMS ================== All versions of Xen up to and including 4.17 are vulnerable if XSA-326 was ingested. All Xen systems using C Xenstored are vulnerable. C Xenstored built using -DNDEBUG (can be specified via EXTRA_CFLAGS_XEN_TOOLS=-DNDEBUG) are not vulnerable. Systems using the OCaml variant of Xenstored are not vulnerable. MITIGATION ========== The problem can be avoided by using OCaml Xenstored variant. CREDITS ======= This issue was discovered by Stanislav Uschakow and Julien Grall, all from Amazon. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa440-4.17.patch Xen 4.17.x - Xen 4.15.x $ sha256sum xsa440* 187b7edef4f509f3d7ec1662901fa638a900ab4213447438171fb2935f387014 xsa440.meta 431dab53baf2b57a299d1a151b330b62d9a007715d700e8515db71ff813d0037 xsa440-4.17.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmV8b/wMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZGWQIAJ3UDtve8zZyOlqG9fpIMr67TTq0ZjHpyaY+qoYx PKtL/OoTyD/gQP0EIoyISvmwCfDIajkUNX6y/C9QnUPp42fZN+RXzDmK/ceTMonm iuNv+Awqz7clBgjH/zrwR9oaYaPFCNoBfDFOc6Gb7rKYIOMVruMt/Wqsg3silxxX Kscy5v+V5uGmrV9PKBKq6hVLNfkbYB/mw1krD1mUNZGnAxX0gyCTu1UHVonw4LcS i7HtASqrJLwLV3y4vjNJdWPBzi9xNDqWwVKkMWqnOq8baeSDISnyK4LZGy8Q6hs6 5XIDjWx9/chWbp6VJQJa3tVAYyOnYzR6P2XqtcUd9YVD3/w= =uHSW -----END PGP SIGNATURE-----