CVE-2022-23033: 
NixOS vulnerability analysis and mitigation

CVE-2022-23033 is a vulnerability in the Xen hypervisor that affects ARM systems running Xen version 4.12 and newer. The vulnerability was discovered by Dmytro Firsov of EPAM and publicly disclosed on January 25, 2022. The issue involves functions that remove entries from a guest p2m pagetable on ARM systems failing to properly clear pagetable entries when the valid bit is not set (Xen Advisory).

The vulnerability exists in several ARM-specific functions (p2mremovemapping, guestphysmapremovepage, and p2msetentry with mfn set to INVALIDMFN) that handle guest pagetable entry removal. These functions fail to clear pagetable entries when the valid bit is not set. This condition can occur when a guest operating system uses set/way cache maintenance instructions. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

A malicious guest may be able to access Xen and other domains' memory through this vulnerability. The potential impacts include information leaks, host or domain Denial of Service (DoS), and privilege escalations. For example, a guest could issue a set/way cache maintenance instruction followed by a XENMEMdecreasereservation hypercall to retain access to memory pages even after Xen has reallocated them for other purposes (Xen Advisory).

There was no known mitigation available at the time of disclosure. The recommended solution is to apply the security patch provided by the Xen Project. Distribution vendors have released updated packages to address this vulnerability, including Debian (version 4.14.4+74-gd7b22226b5-1), Fedora (xen-4.14.4-1.fc34), and Gentoo (Debian Advisory, Fedora Update, Gentoo Advisory).