CVE-2022-42331
https://notcve.org/view.php?id=CVE-2022-42331
x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. • http://www.openwall.com/lists/oss-security/2023/03/21/3 http://xenbits.xen.org/xsa/advisory-429.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5L6PM4RE7MUE6OWA32ZVOXCP235RM2TM https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APBMS2Q6746AXAFAITNJMGBNFGNMVLWR https://security.gentoo.org/glsa/202402-07 https://www.debian.org/security/2023/dsa-5378 https://xenbits.xenproject.org/xsa/advisory-429.txt •
CVE-2022-42310
https://notcve.org/view.php?id=CVE-2022-42310
Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes without a valid parent can be made permanent in the data base. Xenstore: los invitados pueden crear nodos huérfanos de Xenstore al crear varios nodos dentro de una transacción que genera un error, un invitado malintencionado puede crear nodos huérfanos en la base de datos de Xenstore, ya que la limpieza después del error no eliminará todos los nodos ya creados. Cuando la transacción se confirma después de esta situación, los nodos sin un padre válido pueden hacerse permanentes en la base de datos. • http://www.openwall.com/lists/oss-security/2022/11/01/5 http://xenbits.xen.org/xsa/advisory-415.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTMITQBGC23MSDHUCAPCVGLMVXIBXQTQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZVXG7OOOXCX6VIPEMLFDPIPUTFAYWPE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLI2NPNEH7CNJO3VZGQNOI4M4EWLNKPZ https://security.gentoo.org/glsa/202402-07 https:// • CWE-459: Incomplete Cleanup •
CVE-2022-26356
https://notcve.org/view.php?id=CVE-2022-26356
Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak. Una activación del modo de registro sucio realizada por XEN_DMOP_track_dirty_vram (es llamada HVMOP_track_dirty_vram antes de Xen versión 4.9) es producido con las hiperllamadas de registro sucio en curso. Una llamada a XEN_DMOP_track_dirty_vram con el tiempo apropiado puede habilitar log dirty mientras otra CPU está todavía en el proceso de desmontar las estructuras relacionadas con un modo log dirty previamente habilitado (XEN_DOMCTL_SHADOW_OP_OFF). • http://www.openwall.com/lists/oss-security/2022/04/05/1 http://xenbits.xen.org/xsa/advisory-397.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD https://security.gentoo.org/glsa/202402-07 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-397.txt • CWE-667: Improper Locking •
CVE-2022-23034
https://notcve.org/view.php?id=CVE-2022-23034
A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check. • http://www.openwall.com/lists/oss-security/2022/01/25/3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3 https://security.gentoo.org/glsa/202208-23 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-394.txt • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVE-2021-28703
https://notcve.org/view.php?id=CVE-2021-28703
grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. • https://security.gentoo.org/glsa/202402-07 https://xenbits.xenproject.org/xsa/advisory-387.txt •