-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2025-58144,CVE-2025-58145 / XSA-473 version 2 Arm issues with page refcounting UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. This is CVE-2025-58145. IMPACT ====== An unprivileged guest can cause a hypervisor crash, causing a Denial of Service (DoS) of the entire host. Privilege escalation and information leaks cannot be ruled out. VULNERABLE SYSTEMS ================== Xen versions 4.12 and onwards are vulnerable. Xen versions 4.11 and earlier are not vulnerable. Only Arm systems are affected. x86 systems are not affected. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate set of attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa473-?.patch xen-unstable - Xen 4.19.x xsa473-4.18-?.patch Xen 4.18.x - Xen 4.17.x $ sha256sum xsa473* e70f71258f1998eddafcdb5f4cb46d98e9dedc529f102b85dfb4e5310faf48eb xsa473-1.patch a501bde6ffb7391387cffe74e3eb9bd5c06d70bd7695aa811d42c75d3903fa59 xsa473-2.patch e8a27f02e57d1a8d956cca9c9ed2db90c328911ff3a9434883baf633a0f3be5c xsa473-4.18-1.patch b2f6f4560d6082e0fb040f7352dda8963ab2dce207efce289131c10b69ebf656 xsa473-4.18-2.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmjAFU8MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZ/k0IAMjOW7n+dt0rgaRfwA7twgv8OLLOkuw/+DcPYuR0 tm43Y/5OtqThqmtVqOYdZNA91EQ2rIdh2hkhrCcLI1wrm6qWHvWw4ZUp5VMLyLka u616++Uk3vlc3BrfVEVXzWgGOGYW1o7KP5njiTGcEMR/3BYC3bYBbrf7PHoDgSUR xCmHB/tMCZ/XNkYly1oZntlQTyDjW4lnMJJMTJGXqVOviXmpGs52PRsiClk5kUuB HU8wPkjpw2VQR43iJQWkLQykHnTGWWW/V271br1cJVDHylKaAxETBDUu44JkXTHx voqmAG9cwm6K5Rlh6junqnfW6+UOe6Ib+FGmRXcBZ8zRAV4= =Mloq -----END PGP SIGNATURE-----