[XSA-448] Linux: netback processing of zero-length transmit fragment

Severity High

Affected Packages 2

CVEs 1

ISSUE DESCRIPTION

Transmit requests in Xen's virtual network protocol can consist of
multiple parts. While not really useful, except for the initial part
any of them may be of zero length, i.e. carry no data at all. Besides a
certain initial portion of the to be transferred data, these parts are
directly translated into what Linux calls SKB fragments. Such converted
request parts can, when for a particular SKB they are all of length
zero, lead to a de-reference of NULL in core networking code.

IMPACT

An unprivileged guest can cause Denial of Service (DoS) of the host by
sending network packets to the backend, causing the backend to crash.

Data corruption or privilege escalation have not been ruled out.

VULNERABLE SYSTEMS

All systems using a Linux based network backend with kernel 4.14 and
newer are vulnerable. Earlier versions may also be vulnerable. Systems
using other network backends are not known to be vulnerable.

Package	Affected Version
pkg:generic/xen	= 6.5
pkg:generic/xen	= 6.7-rc

ID

XSA-448

Severity

high

Severity from

CVE-2023-46838

URL

http://xenbits.xen.org/xsa/advisory-448.html

Published

2024-01-22T18:30:00
(7 months ago)

Modified

2024-01-22T18:30:00
(7 months ago)

Rights

Xen Project

Other Advisories

Source	# ID	Name	URL
Xen Project	XSA-448	Security Advisory	http://xenbits.xen.org/xsa/advisory-448.html
Xen Project	XSA-448	Signed Security Advisory	http://xenbits.xen.org/xsa/advisory-448.txt

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:generic/xen		xen	= 6.5
Affected	pkg:generic/xen		xen	= 6.7-rc

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date