CVE-2024-45818: 
NixOS vulnerability analysis and mitigation

CVE-2024-45818 (XSA-463) is a deadlock vulnerability in x86 HVM standard VGA handling discovered in the Xen hypervisor. The vulnerability was publicly released on November 12, 2024, and affects Xen versions 4.6 through 4.19. The issue stems from improper locking discipline in code designed to accelerate VGA memory accesses for HVM guests when the virtual VGA is in standard mode (Xen Advisory).

The vulnerability arises from an unusual locking discipline where a lock remains acquired past the return from the function that acquired it. When emulating an instruction with two memory accesses that touch VGA memory, the system attempts to re-acquire an already held lock during the second access, resulting in a deadlock. This issue was previously identified when the code was first introduced, but the initial analysis was incorrect and the fix was incomplete. The functionality was accidentally disabled since Xen 4.7, and the current fix involves backporting the removal of most of the feature (Xen Advisory).

A guest kernel, without necessarily being malicious, can trigger a condition that locks up the entire host system. The vulnerability has received a CVSS v3.1 base score of 6.5 (MEDIUM) with vector AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (NVD).

The primary mitigation is to run only PV or PVH guests to avoid the vulnerability. For affected systems, patches have been released for Xen versions 4.16 through 4.19. System administrators are advised to apply the appropriate patches to their stable branches (Xen Advisory).