CVE-2023-34324 - OpenCVE

Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel on Arm doesn't use queued-RW-locks, which are required to trigger the issue (on Arm32 a waiting writer doesn't block further readers to get the lock).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel
Xen	Xen

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:xen:xen:-:::::::*

No data.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html
https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html
https://xenbits.xenproject.org/xsa/advisory-441.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: XEN

Published: 2024-01-05T16:30:45.807Z

Updated: 2024-08-02T16:10:06.472Z

Reserved: 2023-06-01T10:44:17.065Z

Link: CVE-2023-34324

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-05T17:15:08.540

Modified: 2024-01-11T21:15:10.120

Link: CVE-2023-34324

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34324", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2023-06-01T10:44:17.065Z", "datePublished": "2024-01-05T16:30:45.807Z", "dateUpdated": "2024-08-02T16:10:06.472Z"}, "containers": {"cna": {"title": "Possible deadlock in Linux kernel event handling", "datePublic": "2023-10-10T11:26:00Z", "descriptions": [{"lang": "en", "value": "Closing of an event channel in the Linux kernel can result in a deadlock.\nThis happens when the close is being performed in parallel to an unrelated\nXen console action and the handling of a Xen console interrupt in an\nunprivileged guest.\n\nThe closing of an event channel is e.g. triggered by removal of a\nparavirtual device on the other side. As this action will cause console\nmessages to be issued on the other side quite often, the chance of\ntriggering the deadlock is not neglectable.\n\nNote that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel\non Arm doesn't use queued-RW-locks, which are required to trigger the\nissue (on Arm32 a waiting writer doesn't block further readers to get\nthe lock).\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "A (malicious) guest administrator could cause a denial of service (DoS)\nin a backend domain (other than dom0) by disabling a paravirtualized\ndevice.\n\nA malicious backend could cause DoS in a guest running a Linux kernel by\ndisabling a paravirtualized device.\n"}]}], "affected": [{"defaultStatus": "unknown", "product": "Linux", "vendor": "Linux", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-441"}]}], "configurations": [{"lang": "en", "value": "All unprivileged guests running a Linux kernel of version 5.10 and later,\nor with the fixes for XSA-332, are vulnerable.\n\nAll guest types are vulnerable.\n\nOnly x86- and 64-bit Arm-guests are vulnerable.\n\nArm-guests running in 32-bit mode are not vulnerable.\n\nGuests not using paravirtualized drivers are not vulnerable.\n"}], "workarounds": [{"lang": "en", "value": "There is no known mitigation.\n"}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered as a bug by Marek Marczykowski-G\u00f3recki of\nInvisible Things Lab; the security impact was recognised by J\u00fcrgen\nGro\u00df of SUSE.\n"}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-441.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:30:45.807Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:06.472Z"}, "title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-441.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D61CA62B-157A-4415-B8FD-7C3C1208315D", "versionEndExcluding": "5.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:xen:xen:-:*:*:*:*:*:*:*", "matchCriteriaId": "BFA1950D-1D9F-4401-AA86-CF3028EFD286", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Closing of an event channel in the Linux kernel can result in a deadlock.\nThis happens when the close is being performed in parallel to an unrelated\nXen console action and the handling of a Xen console interrupt in an\nunprivileged guest.\n\nThe closing of an event channel is e.g. triggered by removal of a\nparavirtual device on the other side. As this action will cause console\nmessages to be issued on the other side quite often, the chance of\ntriggering the deadlock is not neglectable.\n\nNote that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel\non Arm doesn't use queued-RW-locks, which are required to trigger the\nissue (on Arm32 a waiting writer doesn't block further readers to get\nthe lock).\n"}, {"lang": "es", "value": "El cierre de un canal de eventos en el kernel de Linux puede provocar un punto muerto. Esto sucede cuando el cierre se realiza en paralelo a una acci\u00f3n de la consola Xen no relacionada y al manejo de una interrupci\u00f3n de la consola Xen en un invitado sin privilegios. El cierre de un canal de eventos se desencadena, por ejemplo, al retirar un dispositivo paravirtual del otro lado. Como esta acci\u00f3n har\u00e1 que se emitan mensajes de la consola en el otro lado con bastante frecuencia, la posibilidad de desencadenar el punto muerto no es despreciable. Tenga en cuenta que los invitados de Arm de 32 bits no se ven afectados, ya que el kernel de Linux de 32 bits en Arm no utiliza bloqueos de RW en cola, que son necesarios para desencadenar el problema (en Arm32, un escritor en espera no bloquea m\u00e1s lectores para conseguir el candado)."}], "id": "CVE-2023-34324", "lastModified": "2024-01-11T21:15:10.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-05T17:15:08.540", "references": [{"source": "security@xen.org", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"}, {"source": "security@xen.org", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00005.html"}, {"source": "security@xen.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-441.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}