CVE-2022-26364
Xen PV Guest Non-SELFSNOOP CPU Memory Corruption
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.
x86 pv: Cuidado insuficiente con los mapeos no coherentes [Este registro de información CNA se relaciona con múltiples CVEs; el texto explica qué aspectos/vulnerabilidades corresponden a cada CVE]. Xen mantiene un recuento de referencias de tipo para las páginas, además de un recuento de referencias regulares. Este esquema es usado para mantener invariantes requeridos para la seguridad de Xen, por ejemplo, los invitados de PV no pueden tener acceso directo de escritura a las tablas de páginas; las actualizaciones necesitan ser auditadas por Xen. Desafortunadamente, la lógica de seguridad de Xen no presenta en cuenta la no-coherencia de la caché inducida por la CPU; casos en los que la CPU puede causar que el contenido de la caché sea diferente al contenido en la memoria principal. En estos casos, la lógica de seguridad de Xen puede concluir incorrectamente que el contenido de una página es seguro
On CPUs without SELFSNOOP support, a Xen PV domain that has access to a PCI device (which grants the domain the ability to set arbitrary cache attributes on all its pages) can trick Xen into validating an L2 pagetable that contains a cacheline that is marked as clean in the cache but actually differs from main memory. After the pagetable has been validated, an attacker can flush the "clean" cacheline, such that on the next load, unvalidated data from main memory shows up in the pagetable.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-03-02 CVE Reserved
- 2022-06-09 CVE Published
- 2024-01-29 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2022/06/09/4 | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| http://packetstormsecurity.com/files/167710/Xen-PV-Guest-Non-SELFSNOOP-CPU-Memory-Corruption.html | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| http://xenbits.xen.org/xsa/advisory-402.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Xen Search vendor "Xen" | Xen Search vendor "Xen" for product "Xen" | * | x86 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||