Security update for xen SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:4486-1 Final 1 1 2023-11-20T13:23:53Z current 2023-11-20T13:23:53Z 2023-11-20T13:23:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xen This update for xen fixes the following issues: - CVE-2023-46835: x86/AMD: mismatch in IOMMU quarantine page table levels (XSA-445) (bsc#1216654). - CVE-2023-46836: x86: BTC/SRSO fixes not fully effective (XSA-446) (bsc#1216807). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-EC2-BYOS-2023-4486,Image SLES12-SP5-EC2-ECS-On-Demand-2023-4486,Image SLES12-SP5-EC2-On-Demand-2023-4486,Image SLES12-SP5-EC2-SAP-BYOS-2023-4486,Image SLES12-SP5-EC2-SAP-On-Demand-2023-4486,SUSE-2023-4486,SUSE-SLE-SDK-12-SP5-2023-4486,SUSE-SLE-SERVER-12-SP5-2023-4486 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20234486-1/ Link for SUSE-SU-2023:4486-1 https://lists.suse.com/pipermail/sle-security-updates/2023-November/017124.html E-Mail link for SUSE-SU-2023:4486-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216654 SUSE Bug 1216654 https://bugzilla.suse.com/1216807 SUSE Bug 1216807 https://www.suse.com/security/cve/CVE-2023-46835/ SUSE CVE CVE-2023-46835 page https://www.suse.com/security/cve/CVE-2023-46836/ SUSE CVE CVE-2023-46836 page Image SLES12-SP5-EC2-BYOS Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-EC2-SAP-On-Demand SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 xen-libs-4.12.4_42-3.100.1 xen-tools-domU-4.12.4_42-3.100.1 xen-4.12.4_42-3.100.1 xen-devel-4.12.4_42-3.100.1 xen-doc-html-4.12.4_42-3.100.1 xen-libs-32bit-4.12.4_42-3.100.1 xen-libs-64bit-4.12.4_42-3.100.1 xen-tools-4.12.4_42-3.100.1 xen-libs-4.12.4_42-3.100.1 as a component of Image SLES12-SP5-EC2-BYOS xen-tools-domU-4.12.4_42-3.100.1 as a component of Image SLES12-SP5-EC2-BYOS xen-libs-4.12.4_42-3.100.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand xen-tools-domU-4.12.4_42-3.100.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand xen-libs-4.12.4_42-3.100.1 as a component of Image SLES12-SP5-EC2-On-Demand xen-tools-domU-4.12.4_42-3.100.1 as a component of Image SLES12-SP5-EC2-On-Demand xen-libs-4.12.4_42-3.100.1 as a component of Image SLES12-SP5-EC2-SAP-BYOS xen-tools-domU-4.12.4_42-3.100.1 as a component of Image SLES12-SP5-EC2-SAP-BYOS xen-libs-4.12.4_42-3.100.1 as a component of Image SLES12-SP5-EC2-SAP-On-Demand xen-tools-domU-4.12.4_42-3.100.1 as a component of Image SLES12-SP5-EC2-SAP-On-Demand xen-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-doc-html-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-libs-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-libs-32bit-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-tools-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-tools-domU-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server 12 SP5 xen-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-doc-html-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-libs-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-libs-32bit-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-tools-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-tools-domU-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xen-devel-4.12.4_42-3.100.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks. CVE-2023-46835 Image SLES12-SP5-EC2-BYOS:xen-libs-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-BYOS:xen-tools-domU-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-ECS-On-Demand:xen-libs-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-ECS-On-Demand:xen-tools-domU-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-On-Demand:xen-libs-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-On-Demand:xen-tools-domU-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-SAP-BYOS:xen-libs-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-SAP-BYOS:xen-tools-domU-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-SAP-On-Demand:xen-libs-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-SAP-On-Demand:xen-tools-domU-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-doc-html-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-libs-32bit-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-libs-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-tools-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-tools-domU-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-doc-html-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-libs-32bit-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-libs-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-tools-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-tools-domU-4.12.4_42-3.100.1 SUSE Linux Enterprise Software Development Kit 12 SP5:xen-devel-4.12.4_42-3.100.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234486-1/ https://www.suse.com/security/cve/CVE-2023-46835.html CVE-2023-46835 https://bugzilla.suse.com/1216654 SUSE Bug 1216654 The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen. CVE-2023-46836 Image SLES12-SP5-EC2-BYOS:xen-libs-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-BYOS:xen-tools-domU-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-ECS-On-Demand:xen-libs-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-ECS-On-Demand:xen-tools-domU-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-On-Demand:xen-libs-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-On-Demand:xen-tools-domU-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-SAP-BYOS:xen-libs-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-SAP-BYOS:xen-tools-domU-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-SAP-On-Demand:xen-libs-4.12.4_42-3.100.1 Image SLES12-SP5-EC2-SAP-On-Demand:xen-tools-domU-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-doc-html-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-libs-32bit-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-libs-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-tools-4.12.4_42-3.100.1 SUSE Linux Enterprise Server 12 SP5:xen-tools-domU-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-doc-html-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-libs-32bit-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-libs-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-tools-4.12.4_42-3.100.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xen-tools-domU-4.12.4_42-3.100.1 SUSE Linux Enterprise Software Development Kit 12 SP5:xen-devel-4.12.4_42-3.100.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20234486-1/ https://www.suse.com/security/cve/CVE-2023-46836.html CVE-2023-46836 https://bugzilla.suse.com/1216807 SUSE Bug 1216807