gsd-2022-26356
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2022-26356",
    "description": "Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak.",
    "id": "GSD-2022-26356",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-26356.html",
      "https://www.debian.org/security/2022/dsa-5117",
      "https://linux.oracle.com/cve/CVE-2022-26356.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-26356"
      ],
      "details": "Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak.",
      "id": "GSD-2022-26356",
      "modified": "2023-12-13T01:19:38.818557Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@xen.org",
        "ID": "CVE-2022-26356",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "xen",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "?",
                          "version_value": "consult Xen advisory XSA-397"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Xen"
            }
          ]
        }
      },
      "configuration": {
        "configuration_data": {
          "description": {
            "description_data": [
              {
                "lang": "eng",
                "value": "All Xen versions from at least 4.0 onwards are vulnerable.\n\nOnly x86 systems are vulnerable.  Arm systems are not vulnerable.\n\nOnly domains controlling an x86 HVM guest using Hardware Assisted Paging (HAP)\ncan leverage the vulnerability.  On common deployments this is limited to\ndomains that run device models on behalf of guests."
              }
            ]
          }
        }
      },
      "credit": {
        "credit_data": {
          "description": {
            "description_data": [
              {
                "lang": "eng",
                "value": "This issue was discovered by Roger Pau Monn\u00e9 of Citrix."
              }
            ]
          }
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak."
          }
        ]
      },
      "impact": {
        "impact_data": {
          "description": {
            "description_data": [
              {
                "lang": "eng",
                "value": "An attacker can cause Xen to leak memory, eventually leading to a Denial of\nService (DoS) affecting the entire host."
              }
            ]
          }
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "unknown"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://xenbits.xenproject.org/xsa/advisory-397.txt",
            "refsource": "MISC",
            "url": "https://xenbits.xenproject.org/xsa/advisory-397.txt"
          },
          {
            "name": "http://xenbits.xen.org/xsa/advisory-397.html",
            "refsource": "CONFIRM",
            "url": "http://xenbits.xen.org/xsa/advisory-397.html"
          },
          {
            "name": "[oss-security] 20220405 Xen Security Advisory 397 v2 (CVE-2022-26356) - Racy interactions between dirty vram tracking and paging log dirty hypercalls",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/04/05/1"
          },
          {
            "name": "DSA-5117",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2022/dsa-5117"
          },
          {
            "name": "FEDORA-2022-dfbf7e2372",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/"
          },
          {
            "name": "FEDORA-2022-64b2c02d29",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/"
          },
          {
            "name": "GLSA-202402-07",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202402-07"
          }
        ]
      },
      "workaround": {
        "workaround_data": {
          "description": {
            "description_data": [
              {
                "lang": "eng",
                "value": "Using only PV or PVH guests and/or running HVM guests in shadow mode will avoid\nthe vulnerability."
              }
            ]
          }
        }
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*",
                    "matchCriteriaId": "D4199860-E11E-4F84-BA0C-A9CB463C7A74",
                    "versionEndExcluding": "4.12.0",
                    "versionStartIncluding": "4.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*",
                    "matchCriteriaId": "F64332BF-1144-4924-8413-FA14FB0A94B6",
                    "versionEndExcluding": "4.14.0",
                    "versionStartIncluding": "4.13.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*",
                    "matchCriteriaId": "71566154-EA2A-4C5F-AC6A-8EFBD6159BB9",
                    "versionEndExcluding": "4.16.0",
                    "versionStartIncluding": "4.15.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                    "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak."
          },
          {
            "lang": "es",
            "value": "Una activaci\u00f3n del modo de registro sucio realizada por XEN_DMOP_track_dirty_vram (es llamada HVMOP_track_dirty_vram antes de Xen versi\u00f3n 4.9) es producido con las hiperllamadas de registro sucio en curso. Una llamada a XEN_DMOP_track_dirty_vram con el tiempo apropiado puede habilitar log dirty mientras otra CPU est\u00e1 todav\u00eda en el proceso de desmontar las estructuras relacionadas con un modo log dirty previamente habilitado (XEN_DOMCTL_SHADOW_OP_OFF). Esto es debido a una falta de bloqueo mutuamente excluyente entre ambas operaciones y puede conllevar a que son a\u00f1adidas entradas en ranuras ya liberadas, dando lugar a una p\u00e9rdida de memoria"
          }
        ],
        "id": "CVE-2022-26356",
        "lastModified": "2024-02-04T08:15:09.967",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "HIGH",
                "accessVector": "LOCAL",
                "authentication": "NONE",
                "availabilityImpact": "COMPLETE",
                "baseScore": 4.0,
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:C",
                "version": "2.0"
              },
              "exploitabilityScore": 1.9,
              "impactScore": 6.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.1,
              "impactScore": 4.0,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2022-04-05T13:15:07.727",
        "references": [
          {
            "source": "security@xen.org",
            "tags": [
              "Mailing List",
              "Patch",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/04/05/1"
          },
          {
            "source": "security@xen.org",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "http://xenbits.xen.org/xsa/advisory-397.html"
          },
          {
            "source": "security@xen.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/"
          },
          {
            "source": "security@xen.org",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/"
          },
          {
            "source": "security@xen.org",
            "url": "https://security.gentoo.org/glsa/202402-07"
          },
          {
            "source": "security@xen.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5117"
          },
          {
            "source": "security@xen.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://xenbits.xenproject.org/xsa/advisory-397.txt"
          }
        ],
        "sourceIdentifier": "security@xen.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-667"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.