[XSA-424] Guests can trigger deadlock in Linux netback driver

Severity Medium

Affected Packages 2

CVEs 2

ISSUE DESCRIPTION

The patch for XSA-392 introduced another issue which might result in
a deadlock when trying to free the SKB of a packet dropped due to
the XSA-392 handling (CVE-2022-42328).

Additionally when dropping packages for other reasons the same
deadlock could occur in case of netpoll being active for the interface
the xen-netback driver is connected to (CVE-2022-42329).

IMPACT

A malicious guest could cause Denial of Service (DoS) of the host via
the paravirtualized network interface.

VULNERABLE SYSTEMS

All systems using the Linux kernel based network backend xen-netback
are vulnerable.

Package	Affected Version
pkg:generic/xen	= 6.0
pkg:generic/xen	= 6.1-rc

ID

XSA-424

Severity

medium

Severity from

CVE-2022-42328

URL

http://xenbits.xen.org/xsa/advisory-424.html

Published

2022-12-06T15:15:00
(21 months ago)

Modified

2022-12-06T15:15:00
(21 months ago)

Rights

Xen Project

Other Advisories

Source	# ID	Name	URL
Xen Project	XSA-424	Security Advisory	http://xenbits.xen.org/xsa/advisory-424.html
Xen Project	XSA-424	Signed Security Advisory	http://xenbits.xen.org/xsa/advisory-424.txt

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:generic/xen		xen	= 6.0
Affected	pkg:generic/xen		xen	= 6.1-rc

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date