Lucene search
K
XenMost viewed

482 matches found

Xen Project
Xen Project
•added 2017/08/15 12:0 p.m.•329 views

grant_table: Race conditions with maptrack free list handling

ISSUE DESCRIPTION The grant table code in Xen has a bespoke semi-lockfree allocator for recording grant mappings "maptrack" entries. This allocator has a race which allows the free list to be corrupted. Specifically: the code for removing an entry from the free list, prior to use, assumes without...

7.8CVSS0.1AI score0.00311EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2017/08/15 12:0 p.m.•326 views

x86: PV privilege escalation via map_grant_ref

ISSUE DESCRIPTION When mapping a grant reference, a guest must inform Xen of where it would like the grant mapped. For PV guests, this is done by nominating an existing linear address, or an L1 pagetable entry, to be altered. Neither of these PV paths check for alignment of the passed parameter...

8.8CVSS6.9AI score0.00437EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/01/21 12:0 p.m.•288 views

Cache-load gadgets exploitable with L1TF

ISSUE DESCRIPTION Previously reported vulnerabilities CVE-2017-5753 / XSA-254 Spectre V1 and CVE-2018-3646 / XSA-273 L1TF can, when combined, be leveraged to more easily gather leaked information. A Spectre v1 gadget is a speculation sequence which starts with a conditional branch, contains a...

1.2AI score
Exploits0
Xen Project
Xen Project
•added 2018/11/20 12:0 p.m.•274 views

insufficient TLB flushing / improper large page mappings with AMD IOMMUs

ISSUE DESCRIPTION In order to be certain that no undue access to memory is possible anymore after IOMMU mappings of this memory have been removed, Translation Lookaside Buffers TLBs need to be flushed after most changes to such mappings. Xen bypassed certain IOMMU flushes on AMD x86 hardware...

7.8CVSS1.5AI score0.00409EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2018/11/20 12:0 p.m.•267 views

x86: incorrect error handling for guest p2m page removals

ISSUE DESCRIPTION The internal function querying a domain's p2m table grabs the p2m lock by default, so that the answer to the query remains true until the caller can act on that information; it is up to the caller then to release the lock. Unfortunately, certain failure paths don't release the...

6.5CVSS0.8AI score0.00357EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2018/11/20 12:0 p.m.•257 views

resource accounting issues in x86 IOREQ server handling

ISSUE DESCRIPTION Allocation of pages used to communicate with external emulators did not follow certain principles that are required for proper life cycle management of guest exposed pages. IMPACT A compromised DM stubdomain may cause Xen to crash, resulting in a DoS Denial of Service affecting...

7.8CVSS2.3AI score0.00364EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2018/11/20 12:0 p.m.•254 views

Fix for XSA-240 conflicts with shadow paging

ISSUE DESCRIPTION The fix for XSA-240 introduced a new field into the control structure associated with each page of RAM. This field was added to a union, another member of which is used when Xen uses shadow paging for the guest. During migration, or with the L1TF XSA-273 mitigation for PV guests...

8.8CVSS0.5AI score0.00438EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/06/13 7:16 p.m.•235 views

Unlimited Arm Atomics Operations

ISSUE DESCRIPTION Software targeting pre-Armv8.1-A hardware, Xen included, commonly implements atomics using Load/Store exclusive instructions in a loop that will terminate once the store succeeded. As per the Armv8-A Architecture Reference Manual ARM DDI0487D.a, paragraph 2.9.5 "Load-Exclusive a...

5.5CVSS0.5AI score0.00358EPSS
Exploits0
Xen Project
Xen Project
•added 2019/03/05 12:0 p.m.•188 views

x86: insufficient TLB flushing when using PCID

ISSUE DESCRIPTION Use of Process Context Identifiers PCID was introduced into Xen in order to improve performance after XSA-254 and in particular its Meltdown sub-issue. This enablement implied changes to the TLB flushing logic. The particular case of context switch to a vCPU of a PCID-enabled...

8.8CVSS0.2AI score0.00349EPSS
Exploits0
Xen Project
Xen Project
•added 2019/03/05 12:0 p.m.•184 views

x86: Inconsistent PV IOMMU discipline

ISSUE DESCRIPTION In order for a PV domain to set up DMA from a passed-through device to one of its pages, the page must be mapped in the IOMMU. On the other hand, before a PV page may be used as a "special" page type such as a pagetable or descriptor table, it must not be writable in the IOMMU...

6.8CVSS0.3AI score0.00279EPSS
Exploits0
Xen Project
Xen Project
•added 2023/08/08 5:0 p.m.•178 views

x86/AMD: Speculative Return Stack Overflow

ISSUE DESCRIPTION Researchers from ETH Zurich have extended their prior research XSA-422, Branch Type Confusion, a.k.a Retbleed and have discovered INCEPTION, also know as RAS Return Address Stack Poisoning, and Speculative Return Stack Overflow. The RAS is updated when a CALL instruction is...

4.7CVSS6.9AI score0.0616EPSS
Exploits1Affected Software1
Xen Project
Xen Project
•added 2019/03/05 12:0 p.m.•165 views

x86 shadow: Insufficient TLB flushing when using PCID

ISSUE DESCRIPTION Use of Process Context Identifiers PCID was introduced into Xen in order to improve performance after XSA-254 and in particular its Meltdown sub-issue. This enablement implied changes to the TLB flushing logic. One aspect which was overlooked is the safety of switching between...

6.5CVSS0.5AI score0.00347EPSS
Exploits0
Xen Project
Xen Project
•added 2015/05/13 11:15 a.m.•157 views

Privilege escalation via emulated floppy disk drive

ISSUE DESCRIPTION The code in qemu which emulates a floppy disk controller did not correctly bounds check accesses to an array and therefore was vulnerable to a buffer overflow attack. IMPACT A guest which has access to an emulated floppy device can exploit this vulnerability to take over the qem...

7.7CVSS7.4AI score0.15275EPSS
Exploits1
Xen Project
Xen Project
•added 2019/03/05 12:0 p.m.•155 views

x86: steal_page violates page_struct access discipline

ISSUE DESCRIPTION Xen's reference counting rules were designed to allow pages to change owner and state without requiring a global lock. Each page has a page structure, and a very specific set of access disciplines must be observed to ensure that pages are freed properly, and that no writable...

7CVSS1AI score0.00258EPSS
Exploits0
Xen Project
Xen Project
•added 2019/07/09 1:55 p.m.•146 views

Linux: No grant table and foreign mapping limits

ISSUE DESCRIPTION Virtual device backends and device models running in domain 0, or other backend driver domains, need to be able to map guest memory either via grant mappings, or via the foreign mapping interface. Inside Xen, mapped grants are tracked by the maptrack structure. The size of this...

6.5CVSS0.3AI score0.00408EPSS
Exploits0
Xen Project
Xen Project
•added 2021/06/08 5:0 p.m.•143 views

Speculative Code Store Bypass

ISSUE DESCRIPTION Modern superscalar processors may employ sophisticated decoding and caching of the instruction stream to improve performance. However, a consequence is that self-modifying code updates may not take effect instantly. Whatever the architectural guarantees, some CPUs have...

6.5CVSS1.1AI score0.00372EPSS
Exploits0
Xen Project
Xen Project
•added 2017/02/10 12:43 p.m.•128 views

oob access in cirrus bitblt copy

ISSUE DESCRIPTION When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. IMPACT A malicious guest administrator can cause an out of bounds memory access, leading to information disclosure or privilege escalation. VULNERABLE...

9.1CVSS2.1AI score0.03648EPSS
Exploits0
Xen Project
Xen Project
•added 2019/03/05 12:0 p.m.•127 views

x86: PV kernel context switch corruption

ISSUE DESCRIPTION On hardware supporting the fsgsbase feature, 64bit PV guests can set and clear the applicable control bit in its virtualised %cr4, but the feature remains fully active in hardware. Therefore, the associated instructions are actually usable. Linux, which does not currently suppor...

7.8CVSS0.3AI score0.00352EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/03/05 12:0 p.m.•126 views

missing preemption in x86 PV page table unvalidation

ISSUE DESCRIPTION XSA-273 changes required, among other things, making any PTE updates restartable. The changes making PTE updates restartable assumed that L2 pagetables would always be promoted preemptibly; but this turns out not to be the case when using the 'linear pagetable' feature; the resu...

6.5CVSS0.7AI score0.0035EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/03/05 12:0 p.m.•126 views

x86/PV: page type reference counting issue with failed IOMMU update

ISSUE DESCRIPTION When an x86 PV domain has a passed-through PCI device assigned, IOMMU mappings may need to be updated when the type of a particular page changes. Such an IOMMU operation may fail. In the event of failure, while at present the affected guest would be forcibly crashed, the already...

6.5CVSS0.1AI score0.0035EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/12/17 12:0 p.m.•122 views

paravirtualized drivers incautious about shared memory contents

ISSUE DESCRIPTION The compiler can emit optimizations in the PV backend drivers which can lead to double fetch vulnerabilities. Specifically the shared memory between the frontend and backend can be fetched twice during which time the frontend can alter the contents possibly leading to arbitrary...

8.2CVSS8.3AI score0.0108EPSS
Exploits2
Xen Project
Xen Project
•added 2015/12/17 12:0 p.m.•120 views

Linux pciback missing sanity checks leading to crash

ISSUE DESCRIPTION Xen PCI backend driver does not perform proper sanity checks on the device's state. Which in turn allows the generic MSI code called by Xen PCI backend to be called incorrectly leading to hitting BUG conditions or causing NULL pointer exceptions in the MSI code. CVE-2015-8551 To...

6CVSS6.6AI score0.00451EPSS
Exploits0
Xen Project
Xen Project
•added 2019/05/14 5:0 p.m.•119 views

Microarchitectural Data Sampling speculative side channel

ISSUE DESCRIPTION Microarchitectural Data Sampling refers to a group of speculative sidechannels vulnerabilities. They consist of: CVE-2018-12126 - MSBDS - Microarchitectural Store Buffer Data Sampling CVE-2018-12127 - MLPDS - Microarchitectural Load Port Data Sampling CVE-2018-12130 - MFBDS -...

5.9CVSS1.1AI score0.01553EPSS
Exploits0
Xen Project
Xen Project
•added 2019/03/05 12:0 p.m.•119 views

grant table transfer issues on large hosts

ISSUE DESCRIPTION When the code processing grant table transfer requests finds a page with an address too large to be represented in the interface with the guest, it allocates a replacement page and copies page contents. However, the code doing so fails to set the newly allocated page's accountin...

8.8CVSS0.1AI score0.00353EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/03/05 12:0 p.m.•115 views

race with pass-through device hotplug

ISSUE DESCRIPTION When adding a passed-through PCI device to a domain after it was already started, IOMMU page tables may need constructing on the fly. For PV guests the decision whether a page ought to have a mapping is based on whether the page is writable, to prevent IOMMU access to things lik...

7.8CVSS0.1AI score0.00259EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/10/29 11:59 a.m.•112 views

x86: leak of per-domain profiling-related vcpu pointer array

ISSUE DESCRIPTION A domain's xenoprofile state contains an array of per-vcpu information, which is allocated once in the lifetime of a domain in response to that domain using the XENOPROFgetbuffer hypercall on itself or by a domain with the privilege to profile a target domain using the...

4.9CVSS7.2AI score0.00436EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/04/14 12:0 p.m.•111 views

Bad error path in GNTTABOP_map_grant

ISSUE DESCRIPTION Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly...

5.5CVSS0.8AI score0.00527EPSS
Exploits1
Xen Project
Xen Project
•added 2013/06/03 12:0 p.m.•109 views

Information leak on XSAVE/XRSTOR capable AMD CPUs

ISSUE DESCRIPTION On AMD processors supporting XSAVE/XRSTOR family 15h and up, when an exception is pending, these instructions save/restore only the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR. This allows one domain to determine portions of the state of floating point instructions of othe...

4.3CVSS1AI score0.00496EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/11/12 6:1 p.m.•107 views

x86: Machine Check Error on Page Size Change DoS

ISSUE DESCRIPTION An erratum exists across some CPUs whereby an instruction fetch may cause a machine check error if the pagetables have been updated in a specific manner without invalidating the TLB. The x86 architecture explicitly permits modification of the pagetables without TLB invalidation,...

6.5CVSS0.2AI score0.00915EPSS
Exploits0
Xen Project
Xen Project
•added 2019/11/12 6:1 p.m.•106 views

TSX Asynchronous Abort speculative side channel

ISSUE DESCRIPTION This is very closely related to the Microarchitectural Data Sampling vulnerabilities from May 2019. Please see https://xenbits.xen.org/xsa/advisory-297.html for details about MDS. A new way to sample data from microarchitectural structures has been identified. A TSX Asynchronous...

6.5CVSS0.7AI score0.03133EPSS
Exploits0
Xen Project
Xen Project
•added 2016/05/09 12:0 p.m.•106 views

QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

ISSUE DESCRIPTION Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. But an attacker can easily change access modes after setting the bank register. This is CVE-2016-3710. Qemu VGA module...

8.8CVSS3.6AI score0.00916EPSS
Exploits0
Xen Project
Xen Project
•added 2014/04/30 9:52 a.m.•103 views

Hardware timer context is not properly context switched on ARM

ISSUE DESCRIPTION When running on an ARM platform Xen was not context switching the CNTKCTLEL1 register, which is used by the guest kernel to control access by userspace processes to the hardware timers. This meant that any guest can reconfigure these settings for the entire system. IMPACT A...

6.2CVSS5.9AI score0.00629EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/02/05 12:0 p.m.•102 views

Linux pciback DoS via not rate limited log messages.

ISSUE DESCRIPTION Xen's PCI backend drivers in Linux allow a guest with assigned PCI devices to cause a DoS through a flood of kernel messages, potentially affecting other domains in the system. IMPACT A malicious guest can mount a DoS affecting the entire system. VULNERABLE SYSTEMS All systems...

4.9CVSS3.4AI score0.0044EPSS
Exploits0
Xen Project
Xen Project
•added 2017/03/14 12:0 p.m.•101 views

Cirrus VGA Heap overflow via display refresh

ISSUE DESCRIPTION When a graphics update command gets passed to the VGA emulator, there are 3 possible modes that can be used to update the display: blank - Clears the display text - Treats the display as showing text graph - Treats the display as showing graphics After the display geometry gets...

9.9CVSS7.6AI score0.04448EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/05/06 3:0 p.m.•101 views

qemu guest agent (qga) insecure file permissions

ISSUE DESCRIPTION The qemu guest agent creates files with insecure permissions when started in daemon mode. IMPACT The qemu guest agent is not used by default in Xen systems. If it is used in a particular guest, unprivileged guest processes might be able to escalate their privilege to that of the...

6.9CVSS1.1AI score0.00375EPSS
Exploits0
Xen Project
Xen Project
•added 2022/11/01 12:0 p.m.•97 views

Xenstore: Cooperating guests can create arbitrary numbers of nodes

ISSUE DESCRIPTION Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's...

5.5CVSS1.9AI score0.00277EPSS
Exploits0
Xen Project
Xen Project
•added 2016/03/24 4:26 p.m.•97 views

broken AMD FPU FIP/FDP/FOP leak workaround

ISSUE DESCRIPTION There is a workaround in Xen to deal with the fact that AMD CPUs don't load the x86 registers FIP and possibly FCS, FDP and possibly FDS, and FOP from memory via XRSTOR or FXRSTOR when there is no pending unmasked exception. See XSA-52. However, this workaround does not cover al...

3.8CVSS6AI score0.0041EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/03/04 10:39 a.m.•96 views

Linux: netback fails to honor grant mapping errors

ISSUE DESCRIPTION XSA-362 tried to address issues here, but in the case of the netback driver the changes were insufficient: It left the relevant function invocation with, effectively, no error handling at all. As a result, memory allocation failures there could still lead to frontend-induced...

6.5CVSS7.3AI score0.00708EPSS
Exploits0
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•96 views

Use after free triggered by block frontend in Linux blkback

ISSUE DESCRIPTION The Linux kernel PV block backend expects the kernel thread handler to reset ring-xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggle between the states connect and disconnect. As a consequence, the block backend may re-use ...

8.8CVSS0.6AI score0.00388EPSS
Exploits0
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•96 views

xenstore watch notifications lacking permission checks

ISSUE DESCRIPTION Neither xenstore implementation does any permissions checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified and deleted key. A guest administrator can also use the special...

2.3CVSS1AI score0.00306EPSS
Exploits0
Xen Project
Xen Project
•added 2021/02/16 12:0 p.m.•95 views

Linux: backends treating grant mapping errors as bugs

ISSUE DESCRIPTION Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests, like out of memory conditions, it isn't correct to assume so. Memory allocations potentially causing such...

5.5CVSS6.5AI score0.00544EPSS
Exploits0
Xen Project
Xen Project
•added 2015/03/31 12:0 p.m.•95 views

Certain domctl operations may be abused to lock up the host

ISSUE DESCRIPTION XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was not...

7.1CVSS8.5AI score0.02278EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/10/10 12:0 p.m.•95 views

qemu disk backend (qdisk) resource leak

ISSUE DESCRIPTION The qdisk PV disk backend in the qemu-xen flavour of qemu "upstream qemu" can be influenced by a malicious frontend to leak mapped grant references. IMPACT A malicious HVM guest can cause the backend domain to run out of grant references, leading to a DoS for any other domain...

2.7CVSS0.6AI score0.00585EPSS
Exploits0
Xen Project
Xen Project
•added 2013/01/22 11:49 a.m.•95 views

nested virtualization on 32-bit exposes host crash

ISSUE DESCRIPTION When performing nested virtualisation Xen would incorrectly map guest pages for extended periods using an interface which is only intended for transient mappings. In some configurations there are a limited number of slots available for these transient mappings and exhausting the...

4.6CVSS1.1AI score0.00603EPSS
Exploits0
Xen Project
Xen Project
•added 2019/10/31 12:0 p.m.•94 views

passed through PCI devices may corrupt host memory after deassignment

ISSUE DESCRIPTION When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the...

6.9CVSS1.8AI score0.00497EPSS
Exploits0
Xen Project
Xen Project
•added 2015/03/10 12:0 p.m.•94 views

Non-maskable interrupts triggerable by guests

ISSUE DESCRIPTION Guests are currently permitted to modify all of the writable bits in the PCI command register of devices passed through to them. This in particular allows them to disable memory and I/O decoding on the device unless the device is an SR-IOV virtual function, in which case...

6.5CVSS7.2AI score0.00534EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/10/31 12:0 p.m.•93 views

missing descriptor table limit checking in x86 PV emulation

ISSUE DESCRIPTION When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through...

9.8CVSS0.7AI score0.02546EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/06/11 12:0 p.m.•93 views

vulnerability in the iret hypercall handler

ISSUE DESCRIPTION A buggy loop in Xen's compatiret function iterates the wrong way around a 32-bit index. Any 32-bit PV guest kernel can trigger this vulnerability by attempting a hypercalliret with EFLAGS.VM set. Given the use of get/putuser, and that the virtual addresses in question are...

4.9CVSS6.6AI score0.00437EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/09/10 10:56 a.m.•93 views

libxl partially sets up HVM passthrough even with disabled iommu

ISSUE DESCRIPTION With HVM domains, libxl's setup of PCI passthrough devices does the IOMMU setup after giving via the device model the guest access to the hardware and advertising it to the guest. If the IOMMU is disabled the overall setup fails, but after the device has been made available to t...

6.5CVSS2AI score0.00531EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/12/11 12:0 p.m.•92 views

VMX: VMentry failure with debug exceptions and blocked states

ISSUE DESCRIPTION Please see XSA-260 for background on the MovSS shadow: http://xenbits.xen.org/xsa/advisory-260.html Please see XSA-156 for background on the need for DB interception: http://xenbits.xen.org/xsa/advisory-156.html The VMX VMEntry checks does not like the exact combination of state...

7.5CVSS0.3AI score0.02155EPSS
Exploits0Affected Software1
Total number of security vulnerabilities482