Information

Advisory XSA-409
Public release 2022-10-11 10:57
Updated 2022-10-11 10:57
Version 3
CVE(s) CVE-2022-33747
Title Arm: unbounded memory consumption for 2nd-level page tables

Files

advisory-409.txt (signed advisory file)
xsa409.meta
xsa409-4.13/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
xsa409-4.13/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
xsa409-4.13/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
xsa409-4.13/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
xsa409-4.14/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
xsa409-4.14/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
xsa409-4.14/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
xsa409-4.14/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
xsa409-4.15/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
xsa409-4.15/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
xsa409-4.15/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
xsa409-4.15/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
xsa409-4.16/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
xsa409-4.16/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
xsa409-4.16/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
xsa409-4.16/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
xsa409/0001-libxl-docs-Add-per-arch-extra-default-paging-memory.patch
xsa409/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
xsa409/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
xsa409/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2022-33747 / XSA-409
                               version 3

      Arm: unbounded memory consumption for 2nd-level page tables

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Certain actions require e.g. removing pages from a guest's P2M
(Physical-to-Machine) mapping.  When large pages are in use to map guest
pages in the 2nd-stage page tables, such a removal operation may incur a
memory allocation (to replace a large mapping with individual smaller
ones).

These memory allocations are taken from the global memory pool. A
malicious guest might be able to cause the global memory pool to be
exhausted by manipulating its own P2M mappings.

IMPACT
======

A malicious guest could cause a Denial of Service, preventing any system
operation requiring further allocation of Xen memory, including creating
new guests.  NB however that memory exhaustion by itself shouldn’t cause
either Xen or properly-written guests to crash.

VULNERABLE SYSTEMS
==================

All versions of Xen are affected.

Only Arm systems are vulnerable.  x86 systems are not vulnerable.

MITIGATION
==========

There is no known mitigation.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

Note further that the patches for this XSA depend on the patches for
XSA-410.

xsa409/*.patch           xen-unstable
xsa409-4.16/*.patch      Xen 4.16.x
xsa409-4.15/*.patch      Xen 4.15.x
xsa409-4.14/*.patch      Xen 4.14.x
xsa409-4.13/*.patch      Xen 4.13.x

$ sha256sum xsa409* xsa409*/*
a211afb31199a8edf189928f5285b6a58ce35aac991ae3f708b07274ad5f1082  xsa409.meta
96cc260fbf3c2bedd17d61080ba536791f1116cd7dcc6a172dbcccc452e66974  xsa409-4.13/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
f94376d12757312175e19b6c51c56bcb3e21055f729440eb9112bee9fc44cd65  xsa409-4.13/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
b52ca6538a0525dc1638391ee032a7aedced31cc3bcdc8efea02d975813fa251  xsa409-4.13/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
5a59740c398804950ce99102ae2741d5d539313e4a24d0727926d2b4965f148e  xsa409-4.13/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
b7c3438a4c6a4957b0e9b911419638c8719550c91db4587660a6d498a73747ae  xsa409-4.14/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
5a01d80c7157feeeb3374c221d306bd98a134a99597ebfdeee5d62df47e60f27  xsa409-4.14/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
d9b4385c1d55f9c758a108368ef5fbfc86ab2ff532314f88245cc1fce4f95ea2  xsa409-4.14/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
96456aea63d6471888b5364330e69c15ffd2ed055200cd286fb59cab379c3905  xsa409-4.14/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
4c31fd8b3f346e6e9834c33e61037d122b802a83dceec168ed5e699566ca01e2  xsa409-4.15/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
4b9b1ba9c5c7a644268500906b628664ea0630777653f86e62faf85d9e004b8c  xsa409-4.15/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
04a097e055e7faf9163e1e7105bfb3a78782fa6e9c3025597725a198d85d9887  xsa409-4.15/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
9b59622a9c00d75fe3f57b20d286e91df3589855d55e0bad83c64145002c3bc7  xsa409-4.15/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
2ce57902cff4ad61432b61bf8a10dcc699b88b6b9a02c6e7c51c720b276ec39d  xsa409-4.16/0001-libxl-docs-Use-arch-specific-default-paging-memory.patch
18ad838d9c4a6da8890d5d6b3165000e21d8db022bc743989dfda6cc43a7686c  xsa409-4.16/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
201bf6c15d0380f4588a12f33bff90f05fe3c8da75dcb0801063216bedcc00c7  xsa409-4.16/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
f8cea9b75636e73ffffb88b18d80f60ab9ca47856232f1cff787d5d0a1742106  xsa409-4.16/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
62be1c9896e1a0563abbe515bd50e117147a274b3bae0ce062d1e86cdd535b61  xsa409/0001-libxl-docs-Add-per-arch-extra-default-paging-memory.patch
6bcd3cdd9eb998f5714b1c44d3cf1aaa3b1f3615ef8ccb530cf804638b18c9e3  xsa409/0002-xen-arm-Construct-the-P2M-pages-pool-for-guests.patch
b4740035de11fc0b4b7bcb281b288b1972ef3b97649ff3e61072384aeddf864b  xsa409/0003-xen-arm-libxl-Implement-XEN_DOMCTL_shadow_op-for-Arm.patch
ac7af4fea2fa84384fd65308ee8cb50470515a96d2160e467867c8bb766b580a  xsa409/0004-xen-arm-Allocate-and-free-P2M-pages-from-the-P2M-poo.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmNFS/cMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZKqsIAMobhnQXNUKRUiS1TFrV5NhbUdx0r0PHX3alf3r0
ZUk3mQyq3lKK6MkXB0bpkgq95fv6dw9SIriPRZdivVBK7Yb2VBImdZ/YyXoU5JWN
3EPO8Svxzm8WCntk9smjwNix2SByWSVjQfROjrrgihWLbX4n0IQkOLFlvVgllJmK
ETc0q3bMKEODH7+kkmrTmT+nomlHbuq7HHAZk0jyw/hVs1JdRMN9TXBBdLjLOYFe
/hsDiLWwK51L7ehPZB4d/+rLQYo27chGwNGQwDDXXiWWhMmXJJCO3MhrB4NEt0JE
P4DAkmh2OXh6QyuZPTH48ADbAdL7ecq2atrM6HD2oulwFCI=
=/zM/
-----END PGP SIGNATURE-----

Xenproject.org Security Team