CVE-2022-23033

arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes.

CVSS v3 7.8 HIGH
CVSS v2.0 4.6 MEDIUM

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.6^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/01/25/2	Mailing List Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/
https://security.gentoo.org/glsa/202208-23	Third Party Advisory
https://www.debian.org/security/2022/dsa-5117	Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-393.txt	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:xen:xen:*:*:*:*:*:*:arm:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-01-25 14:15

Updated : 2023-11-07 03:44

NVD link : CVE-2022-23033

Mitre link : CVE-2022-23033

CVE.ORG link : CVE-2022-23033

JSON object : View

Products Affected

xen

xen

fedoraproject

fedora

debian

debian_linux

CWE

CWE-404

Improper Resource Shutdown or Release

{"id": "CVE-2022-23033", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2022-01-25T14:15:08.967", "references": [{"url": "http://www.openwall.com/lists/oss-security/2022/01/25/2", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "security@xen.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMR6UBGJW6JKND7IILGQ2CU35EQPF3E3/", "source": "security@xen.org"}, {"url": "https://security.gentoo.org/glsa/202208-23", "tags": ["Third Party Advisory"], "source": "security@xen.org"}, {"url": "https://www.debian.org/security/2022/dsa-5117", "tags": ["Third Party Advisory"], "source": "security@xen.org"}, {"url": "https://xenbits.xenproject.org/xsa/advisory-393.txt", "tags": ["Vendor Advisory"], "source": "security@xen.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-404"}]}], "descriptions": [{"lang": "en", "value": "arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes."}, {"lang": "es", "value": "arm: la funci\u00f3n guest_physmap_remove_page no elimina los mapeos p2m Las funciones para eliminar una o m\u00e1s entradas de una tabla de p\u00e1ginas p2m de hu\u00e9sped en Arm (p2m_remove_mapping, guest_physmap_remove_page y p2m_set_entry con mfn establecido como INVALID_MFN) no borran realmente la entrada de la tabla de p\u00e1ginas si la entrada no presenta el bit v\u00e1lido establecido. Es posible tener una entrada v\u00e1lida en la tabla de p\u00e1ginas sin el bit v\u00e1lido establecido cuando un sistema operativo hu\u00e9sped usa instrucciones de mantenimiento de cach\u00e9 set/way. Por ejemplo, un hu\u00e9sped que emite una instrucci\u00f3n de mantenimiento de cach\u00e9 set/way, y luego llama a la hiperllamada XENMEM_decrease_reservation para devolver p\u00e1ginas de memoria a Xen, podr\u00eda ser capaz de retener el acceso a esas p\u00e1ginas incluso despu\u00e9s de que Xen empezara a reusarlas para otros prop\u00f3sitos"}], "lastModified": "2023-11-07T03:44:01.610", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:arm:*", "vulnerable": true, "matchCriteriaId": "396875EE-05D8-4BD5-B345-9E6FB343C02B", "versionStartIncluding": "4.12.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}], "operator": "OR"}]}], "sourceIdentifier": "security@xen.org"}