CVE-2024-45818

19.12.2024, 12:15

The hypervisor contains code to accelerate VGA memory accesses for HVM
guests, when the (virtual) VGA is in "standard" mode. Locking involved
there has an unusual discipline, leaving a lock acquired past the
return from the function that acquired it. This behavior results in a
problem when emulating an instruction with two memory accesses, both of
which touch VGA memory (plus some further constraints which aren't
relevant here). When emulating the 2nd access, the lock that is already
being held would be attempted to be re-acquired, resulting in a
deadlock.

This deadlock was already found when the code was first introduced, but
was analysed incorrectly and the fix was incomplete. Analysis in light
of the new finding cannot find a way to make the existing locking
discipline work.

In staging, this logic has all been removed because it was discovered
to be accidentally disabled since Xen 4.7. Therefore, we are fixing the
locking problem by backporting the removal of most of the feature. Note
that even with the feature disabled, the lock would still be acquired
for any accesses to the VGA MMIO region.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
XEN	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	6.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Vendor	Product	Version
xen	xen	4.6.0 ≤ 𝑥 < 4.20.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

xen

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	4.17.5+23-ga4e5191dc0-1+deb12u1 fixed
bookworm (security)	4.17.5+23-ga4e5191dc0-1 fixed
sid	4.20.0+68-g35cb38b222-1 fixed
trixie	4.20.0+68-g35cb38b222-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

xen

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-667 - Improper Locking
The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

References

https://xenbits.xenproject.org/xsa/advisory-463.html

http://www.openwall.com/lists/oss-security/2024/11/12/2

http://xenbits.xen.org/xsa/advisory-463.html