As a result, the guest gets a message (e.g. ‘invalid request’) and aborts the request. This should result in the hypervisor not being able to handle the unmapping request. At the same time, the hypervisor should also not be handling the unmapping request. As a result, the bug check gets triggered, resulting in the hypervisor being in a state where it cannot handle the next request. This can be used to crash the hypervisor. Resilient Xen Project has issued a patch to resolve this XSA. When a Xen guest has IOMMU enabled, it utilizes a feature called ‘grant mappings’ to map virtual addresses from the host to guest physical addresses. Every such mapping has a reference count that is incremented by the number of times the mapping is unmapped. The reference count for a mapping can be inspected with the xl command. A possible attack vector could be to create a PV guest that requests unmapped mapping. The xl command can be used to verify whether a host has a mapping for a given guest physical address. In such a scenario, the PV guest requests an unmapped mapping, decrementing the reference count of the mapping. The hypervisor, in the context of the IOMMU, is not aware of this reference count decrement, leading to an invalid reference count. This can be used to trigger a hypervisor bug check, resulting in a crash. RESOLUTION

CVE-2022-23034 has been assigned to the Xen Security Advisory a-link. The vulnerability is due to an issue in the grant mapping handling in the IOMMU emulation code that could result in an invalid reference count and hypervisor bug check due to unmapped memory being dereferenced. This issue is resolved by adding a new feature flag to dynamically enable or disable guest physical address mapping, which is enabled by default. When this feature flag is set, it prevents referencing of any unmapped memory that may have previously been dereferenced and leads to a hypervisor bug check on invalid reference count.

Xen Overview

Xen is an open-source hypervisor that allows you to run multiple operating systems on a single computer. It is compatible with most hardware platforms, including Intel and ARM. Xen has several security exposures to consider when implementing a secure environment.
1) Memory access control:
Memory access control in Xen can be broken by an attacker. This bug fix resolves memory access control issues, specifically allowing privileged users to write beyond the bounds of allocated memory. For example, this lets certain users read sensitive data from another user's paged-out area, which can lead to information disclosure or privilege escalation.
2) libxl:
Libxl is a library that implements virtualization functionality for Xen guests as well as other third-party software, such as KVM or VBox. The libxl library uses a reference count system to pass messages between userspace and the kernel space of the guest. In order to exploit libxl's reference count system, one must obtain the ability to modify instructions running in the kernel space of the guest. Additionally, the uuid_generate() function in the libxl library can be used by attackers to generate fake XEN headers for arbitrary ranges of physical addresses in guest physical pages. This leads to problems with memory allocation and memory mapping in guests.

Xen Project's Resolution: CVE-2022-23034

The issue is caused by a design flaw in the Xen hypervisor. In the IOMMU, it does not handle the case where a mapping from guest to host has been invalidated. This can be used to trigger a hypervisor bug check, resulting in a crash.
RESOLUTION: The issue can be resolved via this patch.

Timeline

Published on: 01/25/2022 14:15:00 UTC
Last modified on: 08/19/2022 09:59:00 UTC

References