Your submission was sent successfully! Close

CVE-2022-23037

Published: 10 March 2022

Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042

From the Ubuntu security team

Demi Marie Obenour and Simon Gaiser discovered that several Xen para- virtualization device frontends did not properly restrict the access rights of device backends. An attacker could possibly use a malicious Xen backend to gain access to memory pages of a guest VM or cause a denial of service in the guest.

Priority

Medium

CVSS 3 base score: 7.0

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-177.186)
focal
Released (5.4.0-117.132)
impish Ignored
(reached end-of-life)
jammy Not vulnerable
(5.15.0-25.25)
trusty Ignored
(was needed ESM criteria)
upstream
Released (5.17~rc8)
xenial Ignored
(was needed ESM criteria)
Patches:
Introduced by

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Fixed by 31185df7e2b1d2fa1de4900247a12d7b9c7087eb
linux-aws
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1128.137)
focal
Released (5.4.0-1078.84)
impish Ignored
(reached end-of-life)
jammy Not vulnerable
(5.15.0-1004.6)
trusty Ignored
(was needed ESM criteria)
upstream
Released (5.17~rc8)
xenial Ignored
(was needed ESM criteria)
linux-aws-5.0
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-aws-5.3)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-aws-5.11
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needs-triage now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-aws-5.13
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needed now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-aws-5.15
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Not vulnerable

jammy Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

linux-aws-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-aws-5.4)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-aws-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1078.84~18.04.1)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-aws-5.8
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(superseded by linux-aws-5.11)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-aws-hwe
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial
Released (4.15.0-1128.137~16.04.1)
linux-azure
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-azure-5.3)
focal
Released (5.4.0-1083.87)
impish Ignored
(reached end-of-life)
jammy Not vulnerable
(5.15.0-1003.4)
trusty
Released (4.15.0-1138.151~14.04.1)
upstream
Released (5.17~rc8)
xenial
Released (4.15.0-1138.151~16.04.1)
linux-azure-4.15
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1138.151)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-azure-5.11
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needs-triage now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-azure-5.13
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needed now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-azure-5.15
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Not vulnerable

jammy Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

linux-azure-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-azure-5.4)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-azure-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1083.87~18.04.1)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-azure-5.8
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(superseded by linux-azure-5.11)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-azure-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-azure-5.3)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-azure-fde
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (5.4.0-1083.87+cvm1.1)
impish Does not exist

jammy Needs triage

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-bluefield
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (5.4.0-1040.44)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-dell300x
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1042.47)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-fips
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Ignored
(was needed ESM criteria)
linux-gcp
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-gcp-5.3)
focal
Released (5.4.0-1078.84)
impish Ignored
(reached end-of-life)
jammy Not vulnerable
(5.15.0-1003.6)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial
Released (4.15.0-1122.136~16.04.1)
linux-gcp-4.15
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1122.136)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gcp-5.11
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needs-triage now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gcp-5.13
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needed now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gcp-5.15
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Not vulnerable

jammy Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

linux-gcp-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-gcp-5.4)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gcp-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1078.84~18.04.1)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gcp-5.8
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(superseded by linux-gcp-5.11)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gke
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (5.4.0-1074.79)
impish Does not exist

jammy Not vulnerable
(5.15.0-1002.2)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial Ignored
(reached end of standard support)
linux-gke-4.15
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gke-5.0
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-gke-5.3)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gke-5.15
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Not vulnerable

jammy Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

linux-gke-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-gke-5.4)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gke-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1074.79~18.04.1)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gkeop
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (5.4.0-1046.48)
impish Does not exist

jammy Not vulnerable
(5.15.0-1001.2)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-gkeop-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1046.48~18.04.1)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-hwe
Launchpad, Ubuntu, Debian
bionic Ignored
(replaced by linux-hwe-5.4)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial
Released (4.15.0-177.186~16.04.1)
linux-hwe-5.11
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(superseded by linux-hwe-5.13)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-hwe-5.13
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needed now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-hwe-5.15
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Not vulnerable
(5.15.0-33.34~20.04.1)
jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-hwe-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-117.132~18.04.1)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-hwe-5.8
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(superseded by linux-hwe-5.11)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-hwe-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-hwe-5.4)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Ignored
(superseded by linux-hwe)
linux-ibm
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (5.4.0-1026.29)
impish Does not exist

jammy Not vulnerable
(5.15.0-1002.2)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-ibm-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1028.32~18.04.1)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-intel-5.13
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needs-triage now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-intel-iotg
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Not vulnerable
(5.15.0-1004.6)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-intel-iotg-5.15
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Pending
(5.15.0-1008.11~20.04.1)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-kvm
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1114.117)
focal
Released (5.4.0-1068.72)
impish Ignored
(reached end-of-life)
jammy Not vulnerable
(5.15.0-1004.4)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial Ignored
(was needed ESM criteria)
linux-lowlatency
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Not vulnerable
(5.15.0-24.24)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-lowlatency-hwe-5.15
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Not vulnerable
(5.15.0-33.34~20.04.1)
jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-lts-xenial
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Does not exist

trusty Ignored
(was needed ESM criteria)
upstream
Released (5.17~rc8)
xenial Does not exist

linux-oem
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Ignored
(superseded by linux-hwe)
linux-oem-5.10
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needs-triage now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oem-5.13
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needs-triage now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oem-5.14
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Needed

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oem-5.17
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Not vulnerable
(5.17.0-1003.3)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oem-5.6
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needs-triage now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oem-osp1
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oracle
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1093.102)
focal
Released (5.4.0-1076.83)
impish Ignored
(reached end-of-life)
jammy Not vulnerable
(5.15.0-1002.4)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial
Released (4.15.0-1093.102~16.04.1)
linux-oracle-5.0
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-oracle-5.3)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oracle-5.11
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needs-triage now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oracle-5.13
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needed now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oracle-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-oracle-5.4)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oracle-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1076.83~18.04.1)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-oracle-5.8
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(superseded by linux-oracle-5.11)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-raspi
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (5.4.0-1065.75)
impish Ignored
(reached end-of-life)
jammy Not vulnerable
(5.15.0-1005.5)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-raspi-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1065.75~18.04.1)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-raspi2
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1109.116)
focal Ignored
(replaced by linux-raspi)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Ignored
(end of standard support)
linux-raspi2-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(superseded by linux-raspi-5.4)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-riscv
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(superseded by linux-riscv-5.8)
impish Ignored
(reached end-of-life)
jammy Not vulnerable
(5.15.0-1006.6)
trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-riscv-5.11
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(was needs-triage now end-of-life)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-riscv-5.8
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Ignored
(superseded by linux-riscv-5.11)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Does not exist

linux-snapdragon
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1127.136)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream
Released (5.17~rc8)
xenial Ignored
(end of standard support)