Описание
Security update for xen
This update for xen fixes the following issues:
- CVE-2023-46835: x86/AMD: mismatch in IOMMU quarantine page table levels (XSA-445) (bsc#1216654).
- CVE-2023-46836: x86: BTC/SRSO fixes not fully effective (XSA-446) (bsc#1216807).
Список пакетов
Image SLES15-SP2-BYOS-Azure
Image SLES15-SP2-HPC-BYOS-Azure
Image SLES15-SP2-SAP-Azure
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP2-SAP-BYOS-Azure
Image SLES15-SP2-SAP-BYOS-EC2-HVM
Image SLES15-SP2-SAP-BYOS-GCE
Image SLES15-SP2-SAP-EC2-HVM
Image SLES15-SP2-SAP-GCE
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
SUSE Linux Enterprise Server 15 SP2-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP2
Ссылки
- Link for SUSE-SU-2023:4484-1
- E-Mail link for SUSE-SU-2023:4484-1
- SUSE Security Ratings
- SUSE Bug 1216654
- SUSE Bug 1216807
- SUSE CVE CVE-2023-46835 page
- SUSE CVE CVE-2023-46836 page
Описание
The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.
Затронутые продукты
Ссылки
- CVE-2023-46835
- SUSE Bug 1216654
Описание
The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen.
Затронутые продукты
Ссылки
- CVE-2023-46836
- SUSE Bug 1216807