CVE-2022-23034
https://notcve.org/view.php?id=CVE-2022-23034
A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check. • http://www.openwall.com/lists/oss-security/2022/01/25/3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3 https://security.gentoo.org/glsa/202208-23 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-394.txt • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVE-2022-23033
https://notcve.org/view.php?id=CVE-2022-23033
arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes. arm: la función guest_physmap_remove_page no elimina los mapeos p2m Las funciones para eliminar una o más entradas de una tabla de páginas p2m de huésped en Arm (p2m_remove_mapping, guest_physmap_remove_page y p2m_set_entry con mfn establecido como INVALID_MFN) no borran realmente la entrada de la tabla de páginas si la entrada no presenta el bit válido establecido. Es posible tener una entrada válida en la tabla de páginas sin el bit válido establecido cuando un sistema operativo huésped usa instrucciones de mantenimiento de caché set/way. Por ejemplo, un huésped que emite una instrucción de mantenimiento de caché set/way, y luego llama a la hiperllamada XENMEM_decrease_reservation para devolver páginas de memoria a Xen, podría ser capaz de retener el acceso a esas páginas incluso después de que Xen empezara a reusarlas para otros propósitos • http://www.openwall.com/lists/oss-security/2022/01/25/2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3 https://security.gentoo.org/glsa/202208-23 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-393.txt • CWE-404: Improper Resource Shutdown or Release •
CVE-2021-28703
https://notcve.org/view.php?id=CVE-2021-28703
grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. • https://security.gentoo.org/glsa/202402-07 https://xenbits.xenproject.org/xsa/advisory-387.txt •
CVE-2021-28706
https://notcve.org/view.php?id=CVE-2021-28706
guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which gets compared against the established upper bound. Los huéspedes pueden exceder su límite de memoria designado Cuando a un huésped se le permite tener cerca de 16TiB de memoria, puede ser capaz de emitir hypercalls para aumentar su asignación de memoria más allá del límite establecido por el administrador. Esto es el resultado de un cálculo realizado con precisión de 32 bits, que puede desbordarse. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF https://security.gentoo.org/glsa/202402-07 https://www.debian.org/security/2021/dsa-5017 https://xenbits.xenproject.org/xsa/advisory-385.txt • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2021-28705
https://notcve.org/view.php?id=CVE-2021-28705
issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7ZGWVVRI4XY2XSTBI3XEMWBXPDVX6OT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXUI4VMD52CH3T7YXAG3J2JW7ZNN3SXF https://security.gentoo.org/glsa/202402-07 https://www.debian.org/security/2021/dsa-5017 https://xenbits.xenproject.org/xsa/advisory-389.txt • CWE-755: Improper Handling of Exceptional Conditions •