We have just published Qubes Security Bulletin (QSB) 078: Linux kernel PV driver issues and LVM misconfiguration. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack).
View QSB-078 in the qubes-secpack:
In addition, you may wish to:
- Get the qubes-secpack: https://www.qubes-os.org/security/pack/
- View all past QSBs: https://www.qubes-os.org/security/qsb/
- View the XSA Tracker: https://www.qubes-os.org/security/xsa/
---===[ Qubes Security Bulletin 078 ]===--- 2022-03-10 Linux kernel PV driver issues and LVM misconfiguration User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0, in dom0: - Kernel packages, versions 5.4.183-2, 5.16.13-2, 4.19.233-2 - LVM2 packages, version 2.02.167-4 For Qubes 4.1, in dom0: - Kernel packages, versions 5.10.104-2, 5.16.13-2 - LVM2 packages, version 2.03.09-2 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community.  Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents.  A system restart is required in order for the updates to take effect. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Dom0 kernel binaries. By default, qube kernels are provided by dom0. However, advanced users may instead opt to install a different kernel inside of a qube, e.g., from an upstream distribution like Fedora or Debian.  Such users should consult that distribution's update channels for any kernel updates that might be relevant to this bulletin. In addition, advanced users with customized setups are advised that the LVM patch changes the LVM's default value for "global_filter" . This means you must ensure that the device that contains the LVM with Qubes' rootfs is allowed, or else your system will not boot. Summary -------- On 2022-03-10, the Xen project published XSA-396, "Linux PV device frontends vulnerable to attacks by backends" : | Several Linux PV device frontends are using the grant table interfaces | for removing access rights of the backends in ways being subject to | race conditions, resulting in potential data leaks, data corruption | by malicious backends, and denial of service triggered by malicious | backends: | | blkfront, netfront, scsifront and the gntalloc driver are testing | whether a grant reference is still in use. If this is not the case, | they assume that a following removal of the granted access will always | succeed, which is not true in case the backend has mapped the granted | page between those two operations. As a result the backend can keep | access to the memory page of the guest no matter how the page will be | used after the frontend I/O has finished. The xenbus driver has a | similar problem, as it doesn't check the success of removing the | granted access of a shared ring buffer. | blkfront: CVE-2022-23036 | netfront: CVE-2022-23037 | scsifront: CVE-2022-23038 | gntalloc: CVE-2022-23039 | xenbus: CVE-2022-23040 | | blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, | and pvcalls are using a functionality to delay freeing a grant | reference until it is no longer in use, but the freeing of the related | data page is not synchronized with dropping the granted access. As a | result the backend can keep access to the memory page even after it | has been freed and then re-used for a different purpose. | CVE-2022-23041 | | | netfront will fail a BUG_ON() assertion if it fails to revoke access | in the rx path. This will result in a Denial of Service (DoS) | situation of the guest which can be triggered by the backend. | CVE-2022-23042 As a separate matter, there is a misconfiguration in the Linux Volume Manager (LVM) in dom0 that affects certain custom storage configurations (see below). In affected systems, the LVM fails to ignore devices that are controlled by other qubes. This exposes the LVM metadata parser in dom0 to untrusted data, which could, hypothetically, be exploited in combination with an another vulnerability and which may result in the LVM becoming "confused" about which devices it should use. Impact ------- Regarding XSA-396, due to race conditions and missing tests of return codes in the Linux PV device frontend drivers, a malicious backend could gain access (both read and write) to memory pages to which it should not have such access, or it could directly trigger a denial of service (DoS) in the qube in which it is running. A backend gaining full control over its frontend qube is unlikely but cannot be ruled out. In the default Qubes OS configuration, this allows malicious sys-net, sys-firewall, and sys-usb qubes to attack any qube to which they are connected (either as network provider or as a block-device provider via `qvm-block`). XSA-396 does not affect qubes that are not connected to any network and that do not have any extra disks attached. The LVM misconfiguration affects only systems that (a) use both an LVM storage pool and another non-LVM storage pool or (b) enable the "ephemeral" volume property (available in R4.1). The default Qubes OS configuration is not affected. In affected systems, a malicious qube that controls a non-LVM, writable storage volume may "confuse" the LVM in dom0 about which storage devices should be used. This may prevent many management actions on qubes from being performed, including creating, removing, starting, and resizing. If such a malicious qube knows dom0's volume group UUID, it could also imitate the disks of other qubes, but it cannot directly extract their original content). Extracting the volume group UUID itself is not possible by exploiting this misconfiguration. Finally, since this misconfiguration results in the LVM metadata parser in dom0 being exposed to untrusted data, it's possible that it could be chained with another attack. Credits -------- Demi Marie Obenour and Simon Gaiser discovered the Linux PV driver vulnerabilities (XSA-396). Demi Marie Obenour discovered the LVM misconfiguration. References -----------  https://www.qubes-os.org/doc/testing/  https://www.qubes-os.org/doc/how-to-update/  https://www.qubes-os.org/doc/managing-vm-kernels/  https://xenbits.xen.org/xsa/advisory-396.html  https://github.com/QubesOS/qubes-lvm2/blob/v2.03.09-2/lvm2-set-default-global_filter.patch -- The Qubes Security Team https://www.qubes-os.org/security/
This is a companion discussion topic for the original entry at https://www.qubes-os.org/news/2022/03/10/qsb-078/