CVE-2023-46837 - OpenCVE

Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. This undefined behavior was meant to be addressed by XSA-437, but the approach was not sufficient.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Xen	Xen

Configuration 1 [-]

cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*

No data.

References

Link	Providers
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFVKWYQFRUU3CAS53THTUKXEOUDWI42G/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLL6SQ6IKFYXLYWITYZCRV5IBRK5G35R/
https://xenbits.xenproject.org/xsa/advisory-447.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: XEN

Published: 2024-01-05T16:36:10.881Z

Updated: 2024-08-02T20:53:21.884Z

Reserved: 2023-10-27T07:55:35.332Z

Link: CVE-2023-46837

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-05T17:15:11.247

Modified: 2024-02-15T03:15:34.683

Link: CVE-2023-46837

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46837", "assignerOrgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "state": "PUBLISHED", "assignerShortName": "XEN", "dateReserved": "2023-10-27T07:55:35.332Z", "datePublished": "2024-01-05T16:36:10.881Z", "dateUpdated": "2024-08-02T20:53:21.884Z"}, "containers": {"cna": {"title": "arm32: The cache may not be properly cleaned/invalidated (take two)", "datePublic": "2023-12-12T12:00:00Z", "descriptions": [{"lang": "en", "value": "Arm provides multiple helpers to clean & invalidate the cache\nfor a given region. This is, for instance, used when allocating\nguest memory to ensure any writes (such as the ones during scrubbing)\nhave reached memory before handing over the page to a guest.\n\nUnfortunately, the arithmetics in the helpers can overflow and would\nthen result to skip the cache cleaning/invalidation. Therefore there\nis no guarantee when all the writes will reach the memory.\n\nThis undefined behavior was meant to be addressed by XSA-437, but the\napproach was not sufficient.\n"}], "impacts": [{"descriptions": [{"lang": "en", "value": "A malicious guest may be able to read sensitive data from memory that\npreviously belonged to another guest.\n"}]}], "affected": [{"defaultStatus": "unknown", "product": "Xen", "vendor": "Xen", "versions": [{"status": "unknown", "version": "consult Xen advisory XSA-447"}]}], "configurations": [{"lang": "en", "value": "Systems running all version of Xen are affected.\n\nOnly systems running Xen on Arm 32-bit are vulnerable. Xen on Arm 64-bit\nis not affected.\n"}], "workarounds": [{"lang": "en", "value": "There is no known mitigation.\n"}], "credits": [{"lang": "en", "type": "finder", "value": "This issue was discovered by Michal Orzel from AMD.\n"}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-447.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLL6SQ6IKFYXLYWITYZCRV5IBRK5G35R/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFVKWYQFRUU3CAS53THTUKXEOUDWI42G/"}], "providerMetadata": {"orgId": "23aa2041-22e1-471f-9209-9b7396fa234f", "shortName": "XEN", "dateUpdated": "2024-01-05T16:36:10.881Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.884Z"}, "title": "CVE Program Container", "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-447.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLL6SQ6IKFYXLYWITYZCRV5IBRK5G35R/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFVKWYQFRUU3CAS53THTUKXEOUDWI42G/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:x86:*", "matchCriteriaId": "9E211AB0-41AD-40D0-AF03-D285F42C6163", "versionEndIncluding": "4.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Arm provides multiple helpers to clean & invalidate the cache\nfor a given region. This is, for instance, used when allocating\nguest memory to ensure any writes (such as the ones during scrubbing)\nhave reached memory before handing over the page to a guest.\n\nUnfortunately, the arithmetics in the helpers can overflow and would\nthen result to skip the cache cleaning/invalidation. Therefore there\nis no guarantee when all the writes will reach the memory.\n\nThis undefined behavior was meant to be addressed by XSA-437, but the\napproach was not sufficient.\n"}, {"lang": "es", "value": "Arm proporciona m\u00faltiples ayudas para limpiar e invalidar el cach\u00e9 de una regi\u00f3n determinada. Esto se utiliza, por ejemplo, al asignar memoria de invitado para garantizar que cualquier escritura (como las que se realizan durante la limpieza) haya alcanzado la memoria antes de entregar la p\u00e1gina a un invitado. Desafortunadamente, la aritm\u00e9tica en los asistentes puede desbordarse y entonces se omitir\u00eda la limpieza/invalidaci\u00f3n de la cach\u00e9. Por lo tanto, no hay garant\u00eda de cu\u00e1ndo todas las escrituras llegar\u00e1n a la memoria. Este comportamiento indefinido deb\u00eda ser abordado por XSA-437, pero el enfoque no fue suficiente."}], "id": "CVE-2023-46837", "lastModified": "2024-02-15T03:15:34.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-05T17:15:11.247", "references": [{"source": "security@xen.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFVKWYQFRUU3CAS53THTUKXEOUDWI42G/"}, {"source": "security@xen.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XLL6SQ6IKFYXLYWITYZCRV5IBRK5G35R/"}, {"source": "security@xen.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://xenbits.xenproject.org/xsa/advisory-447.html"}], "sourceIdentifier": "security@xen.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}