1186429 – (CVE-2021-28692) VUL-0: CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handling (XSA-373)

Bug 1186429 (CVE-2021-28692) - VUL-0: CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handling (XSA-373)

Summary: VUL-0: CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handl...

Status:	RESOLVED FIXED

Alias:	CVE-2021-28692

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/300697/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-28692:4.2:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-05-25 14:57 UTC by Robert Frohl
Modified:	2024-05-23 15:35 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 6 Robert Frohl 2021-06-09 06:36:31 UTC

Xen Security Advisory CVE-2021-28692 / XSA-373
                               version 2

         inappropriate x86 IOMMU timeout detection / handling

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

IOMMUs process commands issued to them in parallel with the operation
of the CPU(s) issuing such commands.  In the current implementation in
Xen, asynchronous notification of the completion of such commands is
not used.  Instead, the issuing CPU spin-waits for the completion of
the most recently issued command(s).  Some of these waiting loops try
to apply a timeout to fail overly-slow commands.  The course of action
upon a perceived timeout actually being detected is inappropriate:
 - on Intel hardware guests which did not originally cause the timeout
   may be marked as crashed,
 - on AMD hardware higher layer callers would not be notified of the
   issue, making them continue as if the IOMMU operation succeeded.

IMPACT
======

A malicious guest may be able to elevate its privileges to that of the
host, cause host or guest Denial of Service (DoS), or cause information
leaks.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been inspected.

Only x86 systems with in-use IOMMU hardware are vulnerable.  x86 systems
without any IOMMUs in use are not vulnerable.  On Arm systems IOMMU /
SMMU use is not security supported.

Only x86 guests which have physical devices passed through to them can
leverage the vulnerability.

MITIGATION
==========

Not passing through physical devices to untrusted guests will avoid
the vulnerability.

CREDITS
=======

This issue was discovered by Igor Druzhinin and Andrew Cooper of Citrix,
and further issues were uncovered by by Jan Beulich of SUSE while trying
to fix the first issue.

RESOLUTION
==========

Applying the appropriate set of attached patches resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa373/xsa373-?.patch           xen-unstable
xsa373/xsa373-4.15-?.patch      Xen 4.15.x
xsa373/xsa373-4.14-?.patch      Xen 4.14.x
xsa373/xsa373-4.13-?.patch      Xen 4.13.x
xsa373/xsa373-4.12-?.patch      Xen 4.12.x
xsa373/xsa373-4.11-?.patch      Xen 4.11.x

$ sha256sum xsa373* xsa373*/*
2ded01092088735e0d8a0e378a41b772ec0f17ceb7afabc78228670c43407fc2  xsa373.meta
f62df56cd176237521aa2ed4a22b0e893318b85bb0ce3c17bd7fca5282b6105b  xsa373/xsa373-1.patch
9eed9566508e116c4da6c201b36fe7e53e98f2daf96cce8ed0a9ca192d783edc  xsa373/xsa373-2.patch
ffee9d17e40798c053a67707dd13d7a944e4a53de7bcfe3e146eac7871ca2608  xsa373/xsa373-3.patch
c51bea462222c090ae671f14471ece00724348e6c04e5850f9b91d0b1eceaad8  xsa373/xsa373-4.11-1.patch
9a3b331e404a38c72ec154cefd78f1f67db6f25dcc1bd554b37ff50899ea42ff  xsa373/xsa373-4.11-2.patch
dba77bce4e6c88ec43df61e88bd5c8bee6e32c0ff681cbeddc4bceb0ee6c73dd  xsa373/xsa373-4.11-3.patch
b1f14e8885e3004de79c5012a1d9278d7a0c39633c5b73cbfda28679f1722c38  xsa373/xsa373-4.11-4.patch
791bccec1e7ba4429a0bafef5fd5a35a68562cee333d0962c70477172493ef3b  xsa373/xsa373-4.11-5.patch
cc4e1bcef148dbfc94ada92bef4408c5516cff2cf249e43c5595b1dbffbbc1e4  xsa373/xsa373-4.12-1.patch
12ffdac1526d96c4f1b572360a7f1a0371e8a177cf15228b126c1032de4e8930  xsa373/xsa373-4.12-2.patch
619425ba44f449bf7b0f519040ee579adff0d0293a95e9b0f70c943c02ae22fb  xsa373/xsa373-4.12-3.patch
b1f14e8885e3004de79c5012a1d9278d7a0c39633c5b73cbfda28679f1722c38  xsa373/xsa373-4.12-4.patch
96b3dd11d38ca8ca0b2dfe2dfb571045fcda78dbfe416580c9b04c5a8ce5fcef  xsa373/xsa373-4.12-5.patch
4add1d05ad2780904ebc89b4d1a93a8f2757b6e9f45b075afce46392ae406b58  xsa373/xsa373-4.13-1.patch
b064324db709078b8ef479df0c31ff3391a506755bfb0186d7d165592d025357  xsa373/xsa373-4.13-2.patch
6fe47fbba0c9d86f48643182d8a7c64ff70a7c8b290b0e93afe1d43d04bed480  xsa373/xsa373-4.13-3.patch
b1f14e8885e3004de79c5012a1d9278d7a0c39633c5b73cbfda28679f1722c38  xsa373/xsa373-4.13-4.patch
96b3dd11d38ca8ca0b2dfe2dfb571045fcda78dbfe416580c9b04c5a8ce5fcef  xsa373/xsa373-4.13-5.patch
4add1d05ad2780904ebc89b4d1a93a8f2757b6e9f45b075afce46392ae406b58  xsa373/xsa373-4.14-1.patch
8e61b7dda9ea21a830454e629fd23e3379b73fb230bd04107618e45975e117d1  xsa373/xsa373-4.14-2.patch
a5aa80d8e893c268f171a5e429bfef0c553522f860e3e5132b4bd87d3a73c6b7  xsa373/xsa373-4.14-3.patch
25bfd2b821ae2cc867b8e2d480528ebd435da76cfab766e8106573cf8dc6f36c  xsa373/xsa373-4.14-4.patch
162b3f14d15fe5ca2cb659efad6635f3803dde6fa97a6f0f1f7f202d3ea72d94  xsa373/xsa373-4.14-5.patch
4add1d05ad2780904ebc89b4d1a93a8f2757b6e9f45b075afce46392ae406b58  xsa373/xsa373-4.15-1.patch
9eed9566508e116c4da6c201b36fe7e53e98f2daf96cce8ed0a9ca192d783edc  xsa373/xsa373-4.15-2.patch
13642541b056ed47129d8143a919bcc81a73797baedc3bd90afeb33f021e6d31  xsa373/xsa373-4.15-3.patch
b2517a7e92c26a818e94ed5133d5aef6ef1d3a7a98f2f5355f1ad6f30baa3ab9  xsa373/xsa373-4.15-4.patch
3ca056796b93cb07ddb7e1dfda98410162382fc56135eb08bc5ff19137d8c427  xsa373/xsa373-4.15-5.patch
b2517a7e92c26a818e94ed5133d5aef6ef1d3a7a98f2f5355f1ad6f30baa3ab9  xsa373/xsa373-4.patch
0b7bb146330f7fdc7c8c331a618307819073654a13d9fe1d0a8b83ab037ae802  xsa373/xsa373-5.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html

Comment 13 Swamp Workflow Management 2021-09-02 13:25:10 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2923-1: An update that solves 11 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1176189,1179246,1183243,1183877,1185682,1186428,1186429,1186433,1186434,1187406,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    xen-4.14.2_04-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xen-4.14.2_04-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2021-09-02 13:39:06 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2922-1: An update that solves 11 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1027519,1137251,1176189,1179148,1179246,1180491,1181989,1183877,1185682,1186428,1186429,1186433,1186434,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    xen-4.13.3_02-3.34.1
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    xen-4.13.3_02-3.34.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    xen-4.13.3_02-3.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2021-09-02 13:42:31 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2924-1: An update that solves 15 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1027519,1179246,1180491,1180846,1182654,1183243,1185682,1186428,1186429,1186433,1186434,1187369,1187376,1187378,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xen-4.12.4_12-3.49.1
SUSE Linux Enterprise Server 12-SP5 (src):    xen-4.12.4_12-3.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2021-09-02 13:47:10 UTC

# maintenance_jira_update_notice
openSUSE-SU-2021:2923-1: An update that solves 11 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1176189,1179246,1183243,1183877,1185682,1186428,1186429,1186433,1186434,1187406,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    xen-4.14.2_04-3.9.1

Comment 17 Swamp Workflow Management 2021-09-02 16:26:07 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2925-1: An update that solves 11 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1027519,1179148,1179246,1180491,1180846,1181989,1183243,1186428,1186429,1186433,1186434,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    xen-4.12.4_12-3.52.1
SUSE Manager Retail Branch Server 4.0 (src):    xen-4.12.4_12-3.52.1
SUSE Manager Proxy 4.0 (src):    xen-4.12.4_12-3.52.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xen-4.12.4_12-3.52.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xen-4.12.4_12-3.52.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xen-4.12.4_12-3.52.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xen-4.12.4_12-3.52.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xen-4.12.4_12-3.52.1
SUSE Enterprise Storage 6 (src):    xen-4.12.4_12-3.52.1
SUSE CaaS Platform 4.0 (src):    xen-4.12.4_12-3.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Swamp Workflow Management 2021-09-03 13:39:46 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2943-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1186429,1186433,1186434,1189373,1189376,1189378,1189380,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    xen-4.10.4_26-3.61.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xen-4.10.4_26-3.61.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xen-4.10.4_26-3.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2021-09-03 16:29:23 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2955-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1181254,1182654,1186429,1186433,1186434,1187369,1187376,1187378,1189373,1189376,1189378,1189380,1189882
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-3308,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xen-4.11.4_20-2.60.1
SUSE OpenStack Cloud 9 (src):    xen-4.11.4_20-2.60.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xen-4.11.4_20-2.60.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xen-4.11.4_20-2.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2021-09-06 13:16:53 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2957-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1182654,1186429,1186433,1186434,1187369,1187376,1187378,1189373,1189376,1189378,1189380,1189882
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    xen-4.9.4_20-3.91.1
SUSE OpenStack Cloud 8 (src):    xen-4.9.4_20-3.91.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xen-4.9.4_20-3.91.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xen-4.9.4_20-3.91.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xen-4.9.4_20-3.91.1
HPE Helion Openstack 8 (src):    xen-4.9.4_20-3.91.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2021-09-07 13:33:48 UTC

# maintenance_jira_update_notice
openSUSE-SU-2021:1236-1: An update that solves 11 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1027519,1137251,1176189,1179148,1179246,1180491,1181989,1183877,1185682,1186428,1186429,1186433,1186434,1188050,1189373,1189376,1189378,1189380,1189381,1189882
CVE References: CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    xen-4.13.3_02-lp152.2.27.1

Comment 23 Swamp Workflow Management 2021-10-07 22:16:45 UTC

SUSE-SU-2021:3322-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1182654,1186429,1186433,1186434,1187369,1187376,1187378,1189373,1189376,1189378,1189632,1189882
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28701,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xen-4.7.6_16-43.79.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2021-12-01 21:06:29 UTC

SUSE-SU-2021:14848-1: An update that fixes 17 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1182654,1186013,1186429,1186433,1186434,1187369,1187376,1187378,1189150,1189376,1189378,1189632,1192526,1192554,1192555,1192559
CVE References: CVE-2021-0089,CVE-2021-20255,CVE-2021-28690,CVE-2021-28692,CVE-2021-28697,CVE-2021-28698,CVE-2021-28701,CVE-2021-28703,CVE-2021-28705,CVE-2021-28706,CVE-2021-28709,CVE-2021-3527,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595,CVE-2021-3682,CVE-2021-3930
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xen-4.4.4_50-61.67.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_50-61.67.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 33 Andrea Mattiazzo 2024-05-23 15:35:35 UTC

All done, closing.