xenstored: A transaction conflict can crash C Xenstored

ISSUE DESCRIPTION When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstor...

Xenstore: Guests can crash xenstored

ISSUE DESCRIPTION Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the...

Xenstore: Guests can crash xenstored via exhausting the stack

ISSUE DESCRIPTION Xenstored is using recursion for some Xenstore operations e.g. for deleting a sub-tree of Xenstore nodes. With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored. IMPACT A malicious guest creating very deep nesting...

Xenstore: Guests can create arbitrary number of nodes via transactions

ISSUE DESCRIPTION In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been...

UBUNTU-CVE-2020-29483

An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately, this is done by just removing the guest from xenstored's intern...