Linux: Uninitialized state in x86 PV failsafe callback path

ISSUE DESCRIPTION Linux has a failsafe callback, invoked by Xen under certain conditions. Normally in this failsafe callback, errorentry is paired with errorexit; and errorentry uses %ebx to communicate to errorexit whether to use the user or kernel return path. Unfortunately, on 64-bit PV Xen on...

L1 Terminal Fault speculative side channel

ISSUE DESCRIPTION In x86 nomenclature, a Terminal Fault is a pagetable walk which aborts due to the page being not present e.g. paged out to disk, or because of reserved bits being set. Architecturally, such a memory access will result in a page fault exception, but some processors will...

guest use of HLE constructs may lock up host

ISSUE DESCRIPTION Various Intel CPU models have an erratum listed under the title "Processor May Hang When Executing Code In an HLE Transaction". It describes a potential hang when using instructions with the XACQUIRE prefix on the host physical memory range covering the first 4 MiB starting at t...

Stale TLB entry due to page type release race

ISSUE DESCRIPTION x86 PV guests effect TLB flushes by way of a hypercall. Xen tries to reduce the number of TLB flushes by delaying them as much as possible. When the last type reference of a page is dropped, the need for a TLB flush before the page is re-used is recorded. If a guest TLB flush...

broken x86 shadow mode refcount overflow check

ISSUE DESCRIPTION Pages being used to run x86 guests in shadow mode are reference counted to track their uses. Unfortunately the overflow check when trying to obtain a new reference used a mask one bit wider than the reference count actually is, rendering the entire check ineffective. IMPACT A...

improper x86 shadow mode refcount error handling

ISSUE DESCRIPTION Pages being used to run x86 guests in shadow mode are reference counted to track their uses. When another reference cannot be acquired, the corresponding page table entry must not be inserted. Due to incorrect error handling, this constraint could be violated. IMPACT A malicious...

improper bug check in x86 log-dirty handling

ISSUE DESCRIPTION Memory sharing, available to x86 HVM guests only, uses a special value in the global machine to physical address translation table M2P. PV guests have full control over M2P entries corresponding to pages they own. A bug check specifically, an assertion that an M2P entry is not t...

Speculative register leakage from lazy FPU context switching

ISSUE DESCRIPTION x86 has a hardware mechanism for lazy FPU context switching. On a task switch, %cr0.ts Task Switched gets set, and the next instruction to touch floating point state raises an NM No Math, later known as Device Not Available exception. Traditionally, FPU state has been large in...

x86: infinite loop due to missing PoD error checking

ISSUE DESCRIPTION Failure to recognize errors being returned from low level functions in Populate on Demand PoD code may result in higher level code entering an infinite loop. IMPACT A malicious HVM guest can cause one pcpu to permanently hang. This normally cascades into the whole system freezin...

x86: Nested VT-x usable even when disabled

ISSUE DESCRIPTION When running HVM guests, virtual extensions are enabled in hardware because Xen is using them. As a result, a guest can blindly execute the virtualisation instructions, and will exit to Xen for processing. In the case that the guest hasn't followed the correct virtual...

oxenstored does not apply quota-maxentity

ISSUE DESCRIPTION The logic in oxenstored for handling writes depended on the order of evaluation of expressions making up a tuple. As indicated in section 7.7.3 "Operations on data structures" of the OCaml manual: http://caml.inria.fr/pub/docs/manual-ocaml/expr.html the order of evaluation of...

x86: mishandling of debug exceptions

ISSUE DESCRIPTION When switching stacks, it is critical to have a matching stack segment and stack pointer. To allow an atomic update from what would otherwise be two adjacent instructions, an update which changes the stack segment either a mov or pop instruction with %ss encoded as the destinati...

x86: PV guest may crash Xen with XPTI

ISSUE DESCRIPTION The workaround for the Meltdown vulnerability XSA-254 failed to deal with an error code path connecting the INT 80 handling with general exception handling. This results in an unconditional write attempt of the value zero to an address near 2^64, in cases where a PV guest has no...

Missing p2m error checking in PoD code

ISSUE DESCRIPTION Certain actions require modification of entries in a guest's P2M Physical-to-Machine table. When large pages are in use for this table, such an operation may incur a memory allocation to replace a large mapping with individual smaller ones. If this allocation fails, the...

x86 PV guests may gain access to internally used pages

ISSUE DESCRIPTION Memory management for PV guests builds on page ownership and page attributes. A domain can always map, at least r/o, pages of which it is the owner. Certain fields in the control structure of a page are used for different purposes in the main PV memory management code and in cod...

Information leak via side effects of speculative execution

ISSUE DESCRIPTION Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of...

XAPI HTTP directory traversal

ISSUE DESCRIPTION XAPI has an unauthenticated HTTP endpoint update/ which exports the contents of /var/update for other hosts to use. However, the resolution of . and .. in paths is performed before url unquoting is performed. This allows an attacker to traverse out of the web root. IMPACT An...

grant table v2 -> v1 transition may crash Xen

ISSUE DESCRIPTION Grant tables come in two flavors versions, and domains are permitted to freely change between them subject to certain constraints. For the guest to use the facility, both the "normal" shared pages applicable to v1 and v2 and the "status" pages applicable to v2 only need to be...

x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS

ISSUE DESCRIPTION The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must...

DoS via non-preemptable L3/L4 pagetable freeing

ISSUE DESCRIPTION Guests have the ability to request removal of memory from themselves. This operation is intended to be requested for normal read/write pages, but is also permitted to be used on other types of pages. So far this in particular included pages pinned to their current type, with the...

Information leak via crafted user-supplied CDROM

ISSUE DESCRIPTION QEMU handles many different file formats for virtual disks e.g., raw, qcow2, vhd, &c. Some of these formats are "snapshots" that specify "patches" to an alternate disk image, whose filename is included in the snapshot file. When qemu is given a disk but the type is not specified...

Linux netback driver OOB access in hash handling

ISSUE DESCRIPTION Linux's netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation was missing or flawed. IMPACT A malicious or buggy frontend may cause the usually privileged backend to make o...

add-to-physmap error paths fail to release lock on ARM

ISSUE DESCRIPTION When dealing with the grant map space of add-to-physmap operations, ARM specific code recognizes a number of error conditions, but fails to release a lock being held on the respective exit paths. IMPACT A malicious guest administrator can cause a denial of service. Specifically,...

Speculative Store Bypass

ISSUE DESCRIPTION Contemporary high performance processors may use a technique commonly known as Memory Disambiguation, whereby speculative execution may proceed past unresolved stores. This opens a speculative sidechannel in which loads from an address which have had a recent store can observe a...

Unlimited recursion in linear pagetable de-typing

ISSUE DESCRIPTION x86 PV guests are permitted to set up certain forms of what is often called "linear page tables", where pagetables contain references to other pagetables at the same level or higher. Certain restrictions apply in order to fit into Xen's page type handling system. An important...

x86: Incorrect handling of self-linear shadow mappings with translated guests

ISSUE DESCRIPTION The shadow pagetable code uses linear mappings to inspect and modify the shadow pagetables. A linear mapping which points back to itself is known as self-linear. For translated guests, the shadow linear mappings being in a separate address space are not intended to be self-linea...

preemption checks bypassed in x86 PV MM handling

ISSUE DESCRIPTION Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table...

x86: #DB exception safety check can be triggered by a guest

ISSUE DESCRIPTION One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. IMPACT A malicious PV guest can crash Xen, leading to a Denial of...

Use of v2 grant tables may cause crash on ARM

ISSUE DESCRIPTION ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG checks. IMPACT An unprivilege...

pin count / page reference race in grant table code

ISSUE DESCRIPTION Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns...

libxl fails to honour readonly flag on HVM emulated SCSI disks

ISSUE DESCRIPTION libxl fails to pass the readonly flag to qemu when setting up a SCSI disk, due to what was probably an erroneous merge conflict resolution. IMPACT Malicious guest administrators or in some situations users may be able to write to supposedly read-only disk images. VULNERABLE...

DMOP map/unmap missing argument checks

ISSUE DESCRIPTION DMOPs which were a subgroup of HVMOPs in older releases allow guests to control and drive other guests. The I/O request server page mapping interface uses range sets to represent I/O resources the emulation of which is provided by a given I/O request server. The internals of the...

x86 PVH guest without LAPIC may DoS the host

ISSUE DESCRIPTION So far, x86 PVH guests can be configured with or without Local APICs. Configurations with Local APICs are identical to x86 HVM guests, and will use as much hardware acceleration support as possible. Configurations without Local APICs try to turn off all hardware acceleration, an...

page type reference leak on x86

ISSUE DESCRIPTION The page type system of Xen requires cleanup when the last reference for a given page is being dropped. In order to exclude simultaneous updates to a given page by multiple parties, pages which are updated are locked beforehand. This locking includes temporarily increasing the...

cxenstored: Race in domain cleanup

ISSUE DESCRIPTION When shutting down a VM with a stubdomain, a race in cxenstored may cause a double-free. IMPACT The xenstored daemon may crash, resulting in a DoS of any parts of the system relying on it including domain creation / destruction, ballooning, device changes, etc. VULNERABLE SYSTEM...

hypervisor stack leak in x86 I/O intercept code

ISSUE DESCRIPTION Intercepted I/O operations may deal with less than a full machine word's worth of data. While read paths had been the subject of earlier XSAs and hence have been fixed, at least one write path was found where the data stored into an internal structure could contain bits from an...

x86: memory leak with MSR emulation

ISSUE DESCRIPTION In Xen 4.10, new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. Unfortunately, one tracking structure isn't freed when a vcpu is destroyed. IMPACT A memory allocation of 8 bytes is leaked each time a vcpu is destroyed. A malicious...

x86 vHPET interrupt injection errors

ISSUE DESCRIPTION The High Precision Event Timer HPET can be configured to deliver interrupts in one of three different modes - through legacy interrupts; through the IO-APIC; or optionally via a method similar to PCI MSI. The last mode is optional and not implemented by Xen. However, of the firs...

Missing NUMA node parameter verification

ISSUE DESCRIPTION The function allocheappages allows callers to specify the first NUMA node that should be used for allocations through the memflags parameter; the node is extracted using the MEMFgetnode macro. While the function checks to see if the special constant NUMANONODE is specified, it...

insufficient grant unmapping checks for x86 PV guests

ISSUE DESCRIPTION When removing or replacing a grant mapping, the x86 PV specific path needs to make sure page table entries remain in sync with other accounting done. Although the identity of the page frame was validated correctly, neither the presence of the mapping nor page writability were...

Missing check for grant table

ISSUE DESCRIPTION The function gnttabcacheflush handles GNTTABOPcacheflush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not, the owner's grant table is checked to see if a grant mapping to the calling domain exists for...

ARM: Some memory not scrubbed at boot

ISSUE DESCRIPTION Data can remain readable in DRAM across soft and even hard reboots. To ensure that sensitive data is not leaked from one domain to another after a reboot, Xen must "scrub" all memory on boot write it with zeroes. Unfortunately, it was discovered that when memory was in disjoint...

x86: Incorrect handling of IST settings during CPU hotplug

ISSUE DESCRIPTION The x86-64 architecture allows interrupts to be run on distinct stacks. The choice of stack is encoded in a field of the corresponding interrupt descriptor in the Interrupt Descriptor Table IDT. That field selects an entry from the active Task State Segment TSS. Since, on AMD...

multiple MSI mapping issues on x86

ISSUE DESCRIPTION Multiple issues exist with the setup of PCI MSI interrupts: - unprivileged guests were permitted access to devices not owned by them, in particular allowing them to disable MSI or MSI-X on any device - HVM guests can trigger a codepath intended only for PV guests - some failure...

qemu may drive Xen into unbounded loop

ISSUE DESCRIPTION When Xen sends requests to a device model, the next expected action inside Xen is tracked using a state field. The requests themselves are placed in a memory page shared with the device model, so that the device model can communicate to Xen its progress on the request. The state...

x86: DoS from attempting to use INVPCID with a non-canonical addresses

ISSUE DESCRIPTION The INVPCID instruction raises GP0 if an attempt is made to invalidate a non-canonical address. Older flushing mechanisms such as INVLPG tolerate this without error, and perform no action. There is one guest accessible path in Xen where a non-canonical address was passed into th...

Retbleed - arbitrary speculative code execution with return instructions

ISSUE DESCRIPTION Researchers at ETH Zurich have discovered Retbleed, allowing for arbitrary speculative execution in a victim context. For more details, see: https://comsec.ethz.ch/retbleed ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for Intel. Despite the similar...

linux: Fix Xen block IO merge-ability calculation

ISSUE DESCRIPTION The block layer in Linux may choose to merge adjacent block IO requests. When Linux is running as a Xen guest, the default merging algorithm is replaced with a Xen-specific one. When Linux is running as an x86 PV guest, some BIO's are erroneously merged, corrupting the data stre...

grant_table: possibly premature clearing of GTF_writing / GTF_reading

ISSUE DESCRIPTION Xen maintains the GTFread,writing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, X...

multiple problems with transitive grants

ISSUE DESCRIPTION 1 Code to handle copy operations on transitive grants has built in retry logic, involving a function reinvoking itself with unchanged parameters. Such use assumes that the compiler would also translate this to a so called "tail call" when generating machine code. Empirically, th...