QSB-085: Xenstore: Guests can crash xenstored (XSA-414)

We have just published Qubes Security Bulletin (QSB) 085: Xenstore: Guests can crash xenstored (XSA-414). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). More information about QSBs, including a complete historical list, is available here.


             ---===[ Qubes Security Bulletin 085 ]===---

                             2022-11-01

           Xenstore: Guests can crash xenstored (XSA-414)


User action required
---------------------

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.1, in dom0:
  - Xen packages, version 4.14.5-12

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Summary
--------

On 2022-11-01, the Xen Project published XSA-414, "Xenstore: Guests
can crash xenstored" [3]:

| Due to a bug in the fix of XSA-115 a malicious guest can cause
| xenstored to use a wrong pointer during node creation in an error
| path, resulting in a crash of xenstored or a memory corruption in
| xenstored causing further damage.
|
| Entering the error path can be controlled by the guest e.g. by
| exceeding the quota value of maximum nodes per domain.


Impact
-------

The Xen Project's impact description also applies to Qubes OS:

| A malicious guest can cause xenstored to crash, resulting in the
| inability to create new guests or to change the configuration of
| running guests.
|
| Memory corruption in xenstored or privilege escalation of a guest
| can't be ruled out.

(Note: In Qubes terminology, a Xen guest is referred to as a "qube.")


Credits
--------

See the original Xen Security Advisory.


References
-----------

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-414.html

--
The Qubes Security Team
https://www.qubes-os.org/security/


This is a companion discussion topic for the original entry at https://www.qubes-os.org/news/2022/11/01/qsb-085/