Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:4486-1

Опубликовано: 20 нояб. 2023
Источник: suse-cvrf

Описание

Security update for xen

This update for xen fixes the following issues:

  • CVE-2023-46835: x86/AMD: mismatch in IOMMU quarantine page table levels (XSA-445) (bsc#1216654).
  • CVE-2023-46836: x86: BTC/SRSO fixes not fully effective (XSA-446) (bsc#1216807).

Список пакетов

Image SLES12-SP5-EC2-BYOS
xen-libs-4.12.4_42-3.100.1
xen-tools-domU-4.12.4_42-3.100.1
Image SLES12-SP5-EC2-ECS-On-Demand
xen-libs-4.12.4_42-3.100.1
xen-tools-domU-4.12.4_42-3.100.1
Image SLES12-SP5-EC2-On-Demand
xen-libs-4.12.4_42-3.100.1
xen-tools-domU-4.12.4_42-3.100.1
Image SLES12-SP5-EC2-SAP-BYOS
xen-libs-4.12.4_42-3.100.1
xen-tools-domU-4.12.4_42-3.100.1
Image SLES12-SP5-EC2-SAP-On-Demand
xen-libs-4.12.4_42-3.100.1
xen-tools-domU-4.12.4_42-3.100.1
SUSE Linux Enterprise Server 12 SP5
xen-4.12.4_42-3.100.1
xen-doc-html-4.12.4_42-3.100.1
xen-libs-4.12.4_42-3.100.1
xen-libs-32bit-4.12.4_42-3.100.1
xen-tools-4.12.4_42-3.100.1
xen-tools-domU-4.12.4_42-3.100.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
xen-4.12.4_42-3.100.1
xen-doc-html-4.12.4_42-3.100.1
xen-libs-4.12.4_42-3.100.1
xen-libs-32bit-4.12.4_42-3.100.1
xen-tools-4.12.4_42-3.100.1
xen-tools-domU-4.12.4_42-3.100.1
SUSE Linux Enterprise Software Development Kit 12 SP5
xen-devel-4.12.4_42-3.100.1

Ссылки

Описание

The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks.

Затронутые продукты
Image SLES12-SP5-EC2-BYOS:xen-libs-4.12.4_42-3.100.1
Image SLES12-SP5-EC2-BYOS:xen-tools-domU-4.12.4_42-3.100.1
Image SLES12-SP5-EC2-ECS-On-Demand:xen-libs-4.12.4_42-3.100.1
Image SLES12-SP5-EC2-ECS-On-Demand:xen-tools-domU-4.12.4_42-3.100.1
Ссылки

Описание

The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen.

Затронутые продукты
Image SLES12-SP5-EC2-BYOS:xen-libs-4.12.4_42-3.100.1
Image SLES12-SP5-EC2-BYOS:xen-tools-domU-4.12.4_42-3.100.1
Image SLES12-SP5-EC2-ECS-On-Demand:xen-libs-4.12.4_42-3.100.1
Image SLES12-SP5-EC2-ECS-On-Demand:xen-tools-domU-4.12.4_42-3.100.1
Ссылки
Уязвимость SUSE-SU-2023:4486-1