CVE-2021-28699

Name	CVE-2021-28699
Description	inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-4977-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
xen (PTS)	buster, buster (security)	4.11.4+107-gef32c7afa2-1	vulnerable
	bullseye	4.14.6-1	fixed
	bullseye (security)	4.14.5+94-ge49571868d-1	fixed
	bookworm	4.17.3+10-g091466ba55-1~deb12u1	fixed
	trixie	4.17.3+10-g091466ba55-1	fixed
	sid	4.17.3+36-g54dacb5c02-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
xen	source	stretch	(not affected)
xen	source	buster	(unfixed)	end-of-life
xen	source	bullseye	4.14.3-1~deb11u1		DSA-4977-1
xen	source	(unstable)	4.14.3-1

[buster] - xen <end-of-life> (DSA 4677-1)
[stretch] - xen <not-affected> (Only affects 4.10 and later)
https://xenbits.xen.org/xsa/advisory-382.html