CVE-2022-23037 - How Linux PV Device Frontends Are Vulnerable to Attacks by Backends

*This post is meant to give a simple, clear explanation of a set of vulnerabilities in the Linux frontend drivers for Xen paravirtualized (PV) devices, mostly focusing on CVE-2022-23037 and friends. We’ll talk about what went wrong, what the risks are, show a bit of code, and explain how someone might exploit the bugs. We’ll also link you to original sources if you want a deeper read.*

Quick Background: Xen PV Devices and Grant Tables

If you use the Xen hypervisor, you may have virtual machines (guests) talking to real or emulated hardware by using something called “frontends” (running in the guest) and “backends” (running outside the guest, often in DOM). For performance, Xen uses *grant tables*—simple ways to let backends access specific guest memory pages safely.

But *race conditions* or mistakes in handling these grant tables can lead to leaks and attacks.

The following Linux Xen PV frontend drivers are affected by several closely related vulnerabilities

| Driver         | CVE ID           | Short Description                                      |
|----------------|------------------|--------------------------------------------------------|
| blkfront       | CVE-2022-23036   | Block device frontend memory handling race             |
| netfront       | CVE-2022-23037   | Network frontend (focus of this post)                  |
| scsifront      | CVE-2022-23038   | SCSI frontend grant table race condition               |
| gntalloc       | CVE-2022-23039   | Grant allocation handling                              |
| xenbus         | CVE-2022-23040   | Shared ring buffer grant removal check missing         |
| misc frontends | CVE-2022-23041   | Delayed free grant handling                            |
| netfront       | CVE-2022-23042   | DoS via assertion fail when revoking grants           |

> See: Xen Security Advisory XSA-390
> Linux Kernel Patch

The Vulnerability: What’s Going On?

Linux PV frontends like netfront, blkfront, scsifront, etc. use grants so the backend can perform I/O using guest memory directly.
But: Grant removal is not always synchronized! The frontend removes access, *thinking* it’s safe…but the backend may already have mapped (used) the grant page at just the wrong time.

#### The result: Backends can keep access to pages even after I/O is “done”

Simplified Example: Race Window

// Pseudocode showing the dangerous gap
if (grant_page_no_longer_used_by_backend(grant_ref)) {
    // frontend ASSUMES backend can't use it anymore
    remove_grant_access(grant_ref);  // <-- Not guaranteed to succeed!
    free_page(original_page);        // Oops, backend might still be using it!
}

Meaning: the backend can race in, map the page just before the grant is removed, and keep seeing memory after the guest thinks it’s gone or used for something else.

Scenario: Malicious Backend

Imagine you’re running a hosting service. You (the attacker) control the backend driver (in dom or elsewhere). You watch for grants being created from the guest, and try to:

When the guest thinks the revocation is done, backend still has access!

4. Backend can now read future info that lands in the now-freed-but-still-accessible page or corrupt the guest.

Denial of Service - netfront (CVE-2022-23042)

If backend makes revoke fail at *just the right time*, netfront may hit a BUG_ON() assertion, crashing the guest.

Example code (from netfront.c):

/* In netfront, code like: */
BUG_ON(gnttab_end_foreign_access_ref(rx->gref, , )); // If can't revoke

If gnttab_end_foreign_access_ref fails, guest will panic/BUG!

Why Does This Matter?

- Cloud Security: Anyone with backend control (some service providers, rogue admin) has a new vector to attack tenants.

References

- Xen Security Advisory 390 (XSA-390)
- Linux Kernel Commit Fixing the Issue
- netfront driver – source code
- OSS Security Mailing List

Example fix (from the kernel patch)

if (!gnttab_end_foreign_access_ref(gref, , )) {
    /* Failed to revoke, handle error, don't free page yet! */
}

Instead of just removing access and assuming all went well, the code now waits for confirmation.

If you use Xen with PV guests, don’t delay.

- Audit custom drivers or backends for correct memory/grant handling.

Summary

- Who’s at risk? Any Xen PV deployment using affected drivers, especially with untrusted backends.

What to do? Patch, monitor grant usage, and trust your backend code!

If you run Linux guests on Xen with PV devices, check your patch level *today*.


*For the latest, always see the manufacturer's security pages and official advisories.*


Stay safe, and patch early! If you have questions or want details about the technical side, check out the links above or leave a comment.

Timeline

Published on: 03/10/2022 20:15:00 UTC
Last modified on: 07/01/2022 14:15:00 UTC