-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2023-34324 / XSA-441 version 4 Possible deadlock in Linux kernel event handling UPDATES IN VERSION 4 ==================== Public release. Modified advisory again to state that Arm32 guests are NOT affected. ISSUE DESCRIPTION ================= Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel on Arm doesn't use queued-RW-locks, which are required to trigger the issue (on Arm32 a waiting writer doesn't block further readers to get the lock). IMPACT ====== A (malicious) guest administrator could cause a denial of service (DoS) in a backend domain (other than dom0) by disabling a paravirtualized device. A malicious backend could cause DoS in a guest running a Linux kernel by disabling a paravirtualized device. VULNERABLE SYSTEMS ================== All unprivileged guests running a Linux kernel of version 5.10 and later, or with the fixes for XSA-332, are vulnerable. All guest types are vulnerable. Only x86- and 64-bit Arm-guests are vulnerable. Arm-guests running in 32-bit mode are not vulnerable. Guests not using paravirtualized drivers are not vulnerable. MITIGATION ========== There is no known mitigation. CREDITS ======= This issue was discovered as a bug by Marek Marczykowski-Górecki of Invisible Things Lab; the security impact was recognised by Jürgen Groß of SUSE. RESOLUTION ========== Applying the attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa441-linux.patch Linux $ sha256sum xsa441* 937406d86dd6dd3e389fdae726a25e5f0e960f7004c314e370cb2369d6715c24 xsa441-linux.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) on the host and on VMs being administered and used only by organisations which are members of the Xen Project Security Issue Predisclosure List is permitted during the embargo, even on public-facing systems with other untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. Deployment of patches or mitigations is NOT permitted on VMs being administered or used by organisations which are not members of the Xen Project Security Issue Predisclosure List. On those VMs deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUlNOkMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZOmAH/3D7dRH11wIRyFZ/nj4pwkPfPXvCDtUmaRXfAaV4 Xe9ODMSevcEQpSFW4VY6eK7DP6kqYMM7myoy+np8Ttnin7+y+PYUJkxM+liqhLyT fhGi74NNuQLMvGcSKp26aIHAJNtZqWFeRTlEFJHlY4S6ENRoupWd2T2qgnts00NX R4NzZ8yQFcsmvy9gqgq6MYoa2VIrhQlpiDPX81pA/HViv0GiXab1QSYTyI9jQ2EX WC19sELYSK2jMAjuejHlw28B+giy0KxcJv6zewn3Jwn8h3ft4AI1OIh4KfOtEad+ wptYB87EM76Lr3B8ipFEvN4sSU1yBnE4iVOgZpAs74mylN8= =hOm2 -----END PGP SIGNATURE-----