CVE-2022-33748 An error handling path was added that neglected to pay attention to locking requirements.

An example denying a guest to do an action because of another guest already doing the same action can be seen in the example below. Due to the ordering of the operations the guest already doing the action is not granted when it is attempted again. This results in the guest trying to grant itself the same action, which it has already done. As a result the operation is not allowed, the system deadlocks and needs to be rebooted to continue. An example of a lock order inversion in transitive grant copy handling is provided below. The ordering of the operations is important as otherwise one of them may cause another to fail. Without any adjustments to the locking code, the system may result in a deadlock.

CONFIGURATION FILE SETUP

Transitive Grant Copy Handling

Some of the most common lock order inversions are found in copy handling for Transitive grants. The ordering of the operations is important as otherwise one of them may cause another to fail. Without any adjustments to the locking code, the system may result in a deadlock.

Vulnerable code example

-
- -     - BEGIN TRANSACTION;
- -     - CASCADE;
- -    *1 *2 *3;
- - END TRANSACTION;
- - BEGIN TRANSACTION;
- *1 *2 *3;
- CASCADE;
- END TRANSACTION;

Operation sequence overview

The following is a list of the operations involved in the scheduling order for copy handling. This listing does not include the operations that come before or after this one.
1. Acquire a new resource lock (multiple locks and resources)
2. Acquire an old resource lock (single lock)
3. Release an old resource lock (single lock)
4. Mark new resource as owned by the current task (single and multiple locks)
5. Mark old resource as unowned by the current task
6. Release an old resource lock (multiple locks and resources)
7. Granting access to a new requestor on the same thread
8. Granting access to a new requestor on a different thread

Examples of Lock Order Inversion in Transitive Grant Copy Handling

In the example below, the guest is trying to perform an action that requires a transitive grant copy. The guest must first obtain the permission of its parent and then obtain the permission of its grandparent. As a result, when it attempts to obtain permission from its parent, it will get back a failure as it has already granted itself permission. This results in a deadlock and the system needs to be rebooted to continue. An example of a lock order inversion in transitive grant copy handling is provided below.

Timeline

Published on: 10/11/2022 13:15:00 UTC
Last modified on: 10/14/2022 09:28:00 UTC

References

• https://xenbits.xenproject.org/xsa/advisory-411.txt
• http://xenbits.xen.org/xsa/advisory-411.html
• http://www.openwall.com/lists/oss-security/2022/10/11/2
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33748