CVE-2021-28701

 

Published at: - 08-09-2021 04:15

Last modified: - 15-08-2022 01:15

Total changes: - 10

Description

Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://xenbits.xenproject.org/xsa/advisory-384.txt
• http://xenbits.xen.org/xsa/advisory-384.html
• [oss-security] 20210908 Xen Security Advisory 384 v3 (CVE-2021-28701) - Another race in XENMAPSPACE_grant_table handling-Mailing List, Third Party Advisory
• FEDORA-2021-11577e5229-Mailing List, Third Party Advisory
• FEDORA-2021-fed53cbc7d-Mailing List, Third Party Advisory
• DSA-4977-Third Party Advisory
• FEDORA-2021-5a0c7bc619-Mailing List, Third Party Advisory
• GLSA-202208-23-

 

Keywords

NVD

 

CVE-2021-28701

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures