Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:4485-1

Опубликовано: 20 нояб. 2023
Источник: suse-cvrf

Описание

Security update for xen

This update for xen fixes the following issues:

  • CVE-2023-46835: x86/AMD: mismatch in IOMMU quarantine page table levels (XSA-445) (bsc#1216654).
  • CVE-2023-46836: x86: BTC/SRSO fixes not fully effective (XSA-446) (bsc#1216807).

Список пакетов

SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
xen-4.12.4_42-150100.3.98.1
xen-devel-4.12.4_42-150100.3.98.1
xen-libs-4.12.4_42-150100.3.98.1
xen-tools-4.12.4_42-150100.3.98.1
xen-tools-domU-4.12.4_42-150100.3.98.1
SUSE Linux Enterprise Server 15 SP1-LTSS
xen-4.12.4_42-150100.3.98.1
xen-devel-4.12.4_42-150100.3.98.1
xen-libs-4.12.4_42-150100.3.98.1
xen-tools-4.12.4_42-150100.3.98.1
xen-tools-domU-4.12.4_42-150100.3.98.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1
xen-4.12.4_42-150100.3.98.1
xen-devel-4.12.4_42-150100.3.98.1
xen-libs-4.12.4_42-150100.3.98.1
xen-tools-4.12.4_42-150100.3.98.1
xen-tools-domU-4.12.4_42-150100.3.98.1

Ссылки

Описание

The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.

Затронутые продукты
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xen-4.12.4_42-150100.3.98.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xen-devel-4.12.4_42-150100.3.98.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xen-libs-4.12.4_42-150100.3.98.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xen-tools-4.12.4_42-150100.3.98.1
Ссылки

Описание

The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen.

Затронутые продукты
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xen-4.12.4_42-150100.3.98.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xen-devel-4.12.4_42-150100.3.98.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xen-libs-4.12.4_42-150100.3.98.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:xen-tools-4.12.4_42-150100.3.98.1
Ссылки
Уязвимость SUSE-SU-2023:4485-1