CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2022-26356
https://notcve.org/view.php?id=CVE-2022-26356
Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak. Una activación del modo de registro sucio realizada por XEN_DMOP_track_dirty_vram (es llamada HVMOP_track_dirty_vram antes de Xen versión 4.9) es producido con las hiperllamadas de registro sucio en curso. Una llamada a XEN_DMOP_track_dirty_vram con el tiempo apropiado puede habilitar log dirty mientras otra CPU está todavía en el proceso de desmontar las estructuras relacionadas con un modo log dirty previamente habilitado (XEN_DOMCTL_SHADOW_OP_OFF). • http://www.openwall.com/lists/oss-security/2022/04/05/1 http://xenbits.xen.org/xsa/advisory-397.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD https://security.gentoo.org/glsa/202402-07 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-397.txt • CWE-667: Improper Locking •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26357
https://notcve.org/view.php?id=CVE-2022-26357
race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed. Una carrera en la limpieza del ID de dominio de VT-d Los ID de dominio de Xen presentan hasta 15 bits de ancho. • http://www.openwall.com/lists/oss-security/2022/04/05/2 http://xenbits.xen.org/xsa/advisory-399.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD https://security.gentoo.org/glsa/202402-07 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-399.txt • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23035
https://notcve.org/view.php?id=CVE-2022-23035
Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid. Un saneo insuficiente de las IRQs de dispositivos pasados. • http://www.openwall.com/lists/oss-security/2022/01/25/4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3 https://security.gentoo.org/glsa/202208-23 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-395.txt • CWE-459: Incomplete Cleanup •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-23034
https://notcve.org/view.php?id=CVE-2022-23034
A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check. • http://www.openwall.com/lists/oss-security/2022/01/25/3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3 https://security.gentoo.org/glsa/202208-23 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-394.txt • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23033
https://notcve.org/view.php?id=CVE-2022-23033
arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes. arm: la función guest_physmap_remove_page no elimina los mapeos p2m Las funciones para eliminar una o más entradas de una tabla de páginas p2m de huésped en Arm (p2m_remove_mapping, guest_physmap_remove_page y p2m_set_entry con mfn establecido como INVALID_MFN) no borran realmente la entrada de la tabla de páginas si la entrada no presenta el bit válido establecido. Es posible tener una entrada válida en la tabla de páginas sin el bit válido establecido cuando un sistema operativo huésped usa instrucciones de mantenimiento de caché set/way. Por ejemplo, un huésped que emite una instrucción de mantenimiento de caché set/way, y luego llama a la hiperllamada XENMEM_decrease_reservation para devolver páginas de memoria a Xen, podría ser capaz de retener el acceso a esas páginas incluso después de que Xen empezara a reusarlas para otros propósitos • http://www.openwall.com/lists/oss-security/2022/01/25/2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3 https://security.gentoo.org/glsa/202208-23 https://www.debian.org/security/2022/dsa-5117 https://xenbits.xenproject.org/xsa/advisory-393.txt • CWE-404: Improper Resource Shutdown or Release •