CVE-2022-26362 Xen maintains a type reference count for pages, which is used for safety.

CVE-2022-26362 Xen maintains a type reference count for pages, which is used for safety.

This is a common problem of shared-memory systems, and can be fixed by synchronising accesses to the page table. Unfortunately, the only way to achieve synchronisation between two or more processes is to synchronise their clocks. In a system like Xen, where the scheduler is free to determine when a task runs, synchronising the clocks would require a lot of coordination between the hypervisor and the hardware vendors, which is likely to be a non-trivial task. Moreover, Xen does not have any way to synchronise its clocks with the hardware clock. Therefore, the only option left for Xen is to synchronise accesses to the page table. Unfortunately, this too has its own problems.
A race between two concurrently running tasks to acquire a TLB line can result in one task being granted a TLB line before the other task has finished writing to the page table. This results in the second task reading stale data from the first task's page table, potentially leaking information that the second task does not have permission to read. The symptoms of this bug would be unpredictable behaviour of guest OSes, ranging from incorrect page table accesses to user-mode crashes.

CVE-2022-26363

This is a common problem of shared-memory systems, and can be fixed by synchronising accesses to the page table. Unfortunately, the only way to achieve synchronisation between two or more processes is to synchronise their clocks. In a system like Xen, where the scheduler is free to determine when a task runs, synchronising the clocks would require a lot of coordination between the hypervisor and the hardware vendors, which is likely to be a non-trivial task. Moreover, Xen does not have any way to synchronise its clocks with the hardware clock. Therefore, the only option left for Xen is to synchronise accesses to the page table. Unfortunately, this too has its own problems.
A race between two concurrently running tasks to acquire a TLB line can result in one task being granted a TLB line before the other task has finished writing to the page table. This results in the second task reading stale data from the first task's page table, potentially leaking information that the second task does not have permission to read. The symptoms of this bug would be unpredictable behaviour of guest OSes, ranging from incorrect page table accesses to user-mode crashes.>>END>>

References:

Meltem Demir, "Computer Performance Is Inversely Related to Memory-Bandwidth Productivity", iai.tau.ac.il/~demir/pubs/hplcs_2008.pdf

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe