482 matches found
grant_table: Race conditions with maptrack free list handling
ISSUE DESCRIPTION The grant table code in Xen has a bespoke semi-lockfree allocator for recording grant mappings "maptrack" entries. This allocator has a race which allows the free list to be corrupted. Specifically: the code for removing an entry from the free list, prior to use, assumes without...
x86: PV privilege escalation via map_grant_ref
ISSUE DESCRIPTION When mapping a grant reference, a guest must inform Xen of where it would like the grant mapped. For PV guests, this is done by nominating an existing linear address, or an L1 pagetable entry, to be altered. Neither of these PV paths check for alignment of the passed parameter...
Cache-load gadgets exploitable with L1TF
ISSUE DESCRIPTION Previously reported vulnerabilities CVE-2017-5753 / XSA-254 Spectre V1 and CVE-2018-3646 / XSA-273 L1TF can, when combined, be leveraged to more easily gather leaked information. A Spectre v1 gadget is a speculation sequence which starts with a conditional branch, contains a...
insufficient TLB flushing / improper large page mappings with AMD IOMMUs
ISSUE DESCRIPTION In order to be certain that no undue access to memory is possible anymore after IOMMU mappings of this memory have been removed, Translation Lookaside Buffers TLBs need to be flushed after most changes to such mappings. Xen bypassed certain IOMMU flushes on AMD x86 hardware...
x86: incorrect error handling for guest p2m page removals
ISSUE DESCRIPTION The internal function querying a domain's p2m table grabs the p2m lock by default, so that the answer to the query remains true until the caller can act on that information; it is up to the caller then to release the lock. Unfortunately, certain failure paths don't release the...
resource accounting issues in x86 IOREQ server handling
ISSUE DESCRIPTION Allocation of pages used to communicate with external emulators did not follow certain principles that are required for proper life cycle management of guest exposed pages. IMPACT A compromised DM stubdomain may cause Xen to crash, resulting in a DoS Denial of Service affecting...
Fix for XSA-240 conflicts with shadow paging
ISSUE DESCRIPTION The fix for XSA-240 introduced a new field into the control structure associated with each page of RAM. This field was added to a union, another member of which is used when Xen uses shadow paging for the guest. During migration, or with the L1TF XSA-273 mitigation for PV guests...
Unlimited Arm Atomics Operations
ISSUE DESCRIPTION Software targeting pre-Armv8.1-A hardware, Xen included, commonly implements atomics using Load/Store exclusive instructions in a loop that will terminate once the store succeeded. As per the Armv8-A Architecture Reference Manual ARM DDI0487D.a, paragraph 2.9.5 "Load-Exclusive a...
x86: insufficient TLB flushing when using PCID
ISSUE DESCRIPTION Use of Process Context Identifiers PCID was introduced into Xen in order to improve performance after XSA-254 and in particular its Meltdown sub-issue. This enablement implied changes to the TLB flushing logic. The particular case of context switch to a vCPU of a PCID-enabled...
x86: Inconsistent PV IOMMU discipline
ISSUE DESCRIPTION In order for a PV domain to set up DMA from a passed-through device to one of its pages, the page must be mapped in the IOMMU. On the other hand, before a PV page may be used as a "special" page type such as a pagetable or descriptor table, it must not be writable in the IOMMU...
x86/AMD: Speculative Return Stack Overflow
ISSUE DESCRIPTION Researchers from ETH Zurich have extended their prior research XSA-422, Branch Type Confusion, a.k.a Retbleed and have discovered INCEPTION, also know as RAS Return Address Stack Poisoning, and Speculative Return Stack Overflow. The RAS is updated when a CALL instruction is...
x86 shadow: Insufficient TLB flushing when using PCID
ISSUE DESCRIPTION Use of Process Context Identifiers PCID was introduced into Xen in order to improve performance after XSA-254 and in particular its Meltdown sub-issue. This enablement implied changes to the TLB flushing logic. One aspect which was overlooked is the safety of switching between...
Privilege escalation via emulated floppy disk drive
ISSUE DESCRIPTION The code in qemu which emulates a floppy disk controller did not correctly bounds check accesses to an array and therefore was vulnerable to a buffer overflow attack. IMPACT A guest which has access to an emulated floppy device can exploit this vulnerability to take over the qem...
x86: steal_page violates page_struct access discipline
ISSUE DESCRIPTION Xen's reference counting rules were designed to allow pages to change owner and state without requiring a global lock. Each page has a page structure, and a very specific set of access disciplines must be observed to ensure that pages are freed properly, and that no writable...
Linux: No grant table and foreign mapping limits
ISSUE DESCRIPTION Virtual device backends and device models running in domain 0, or other backend driver domains, need to be able to map guest memory either via grant mappings, or via the foreign mapping interface. Inside Xen, mapped grants are tracked by the maptrack structure. The size of this...
Speculative Code Store Bypass
ISSUE DESCRIPTION Modern superscalar processors may employ sophisticated decoding and caching of the instruction stream to improve performance. However, a consequence is that self-modifying code updates may not take effect instantly. Whatever the architectural guarantees, some CPUs have...
oob access in cirrus bitblt copy
ISSUE DESCRIPTION When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. IMPACT A malicious guest administrator can cause an out of bounds memory access, leading to information disclosure or privilege escalation. VULNERABLE...
x86: PV kernel context switch corruption
ISSUE DESCRIPTION On hardware supporting the fsgsbase feature, 64bit PV guests can set and clear the applicable control bit in its virtualised %cr4, but the feature remains fully active in hardware. Therefore, the associated instructions are actually usable. Linux, which does not currently suppor...
missing preemption in x86 PV page table unvalidation
ISSUE DESCRIPTION XSA-273 changes required, among other things, making any PTE updates restartable. The changes making PTE updates restartable assumed that L2 pagetables would always be promoted preemptibly; but this turns out not to be the case when using the 'linear pagetable' feature; the resu...
x86/PV: page type reference counting issue with failed IOMMU update
ISSUE DESCRIPTION When an x86 PV domain has a passed-through PCI device assigned, IOMMU mappings may need to be updated when the type of a particular page changes. Such an IOMMU operation may fail. In the event of failure, while at present the affected guest would be forcibly crashed, the already...
paravirtualized drivers incautious about shared memory contents
ISSUE DESCRIPTION The compiler can emit optimizations in the PV backend drivers which can lead to double fetch vulnerabilities. Specifically the shared memory between the frontend and backend can be fetched twice during which time the frontend can alter the contents possibly leading to arbitrary...
Linux pciback missing sanity checks leading to crash
ISSUE DESCRIPTION Xen PCI backend driver does not perform proper sanity checks on the device's state. Which in turn allows the generic MSI code called by Xen PCI backend to be called incorrectly leading to hitting BUG conditions or causing NULL pointer exceptions in the MSI code. CVE-2015-8551 To...
Microarchitectural Data Sampling speculative side channel
ISSUE DESCRIPTION Microarchitectural Data Sampling refers to a group of speculative sidechannels vulnerabilities. They consist of: CVE-2018-12126 - MSBDS - Microarchitectural Store Buffer Data Sampling CVE-2018-12127 - MLPDS - Microarchitectural Load Port Data Sampling CVE-2018-12130 - MFBDS -...
grant table transfer issues on large hosts
ISSUE DESCRIPTION When the code processing grant table transfer requests finds a page with an address too large to be represented in the interface with the guest, it allocates a replacement page and copies page contents. However, the code doing so fails to set the newly allocated page's accountin...
race with pass-through device hotplug
ISSUE DESCRIPTION When adding a passed-through PCI device to a domain after it was already started, IOMMU page tables may need constructing on the fly. For PV guests the decision whether a page ought to have a mapping is based on whether the page is writable, to prevent IOMMU access to things lik...
x86: leak of per-domain profiling-related vcpu pointer array
ISSUE DESCRIPTION A domain's xenoprofile state contains an array of per-vcpu information, which is allocated once in the lifetime of a domain in response to that domain using the XENOPROFgetbuffer hypercall on itself or by a domain with the privilege to profile a target domain using the...
Bad error path in GNTTABOP_map_grant
ISSUE DESCRIPTION Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly...
Information leak on XSAVE/XRSTOR capable AMD CPUs
ISSUE DESCRIPTION On AMD processors supporting XSAVE/XRSTOR family 15h and up, when an exception is pending, these instructions save/restore only the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR. This allows one domain to determine portions of the state of floating point instructions of othe...
x86: Machine Check Error on Page Size Change DoS
ISSUE DESCRIPTION An erratum exists across some CPUs whereby an instruction fetch may cause a machine check error if the pagetables have been updated in a specific manner without invalidating the TLB. The x86 architecture explicitly permits modification of the pagetables without TLB invalidation,...
TSX Asynchronous Abort speculative side channel
ISSUE DESCRIPTION This is very closely related to the Microarchitectural Data Sampling vulnerabilities from May 2019. Please see https://xenbits.xen.org/xsa/advisory-297.html for details about MDS. A new way to sample data from microarchitectural structures has been identified. A TSX Asynchronous...
QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks
ISSUE DESCRIPTION Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. But an attacker can easily change access modes after setting the bank register. This is CVE-2016-3710. Qemu VGA module...
Hardware timer context is not properly context switched on ARM
ISSUE DESCRIPTION When running on an ARM platform Xen was not context switching the CNTKCTLEL1 register, which is used by the guest kernel to control access by userspace processes to the hardware timers. This meant that any guest can reconfigure these settings for the entire system. IMPACT A...
Linux pciback DoS via not rate limited log messages.
ISSUE DESCRIPTION Xen's PCI backend drivers in Linux allow a guest with assigned PCI devices to cause a DoS through a flood of kernel messages, potentially affecting other domains in the system. IMPACT A malicious guest can mount a DoS affecting the entire system. VULNERABLE SYSTEMS All systems...
Cirrus VGA Heap overflow via display refresh
ISSUE DESCRIPTION When a graphics update command gets passed to the VGA emulator, there are 3 possible modes that can be used to update the display: blank - Clears the display text - Treats the display as showing text graph - Treats the display as showing graphics After the display geometry gets...
qemu guest agent (qga) insecure file permissions
ISSUE DESCRIPTION The qemu guest agent creates files with insecure permissions when started in daemon mode. IMPACT The qemu guest agent is not used by default in Xen systems. If it is used in a particular guest, unprivileged guest processes might be able to escalate their privilege to that of the...
Xenstore: Cooperating guests can create arbitrary numbers of nodes
ISSUE DESCRIPTION Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's...
broken AMD FPU FIP/FDP/FOP leak workaround
ISSUE DESCRIPTION There is a workaround in Xen to deal with the fact that AMD CPUs don't load the x86 registers FIP and possibly FCS, FDP and possibly FDS, and FOP from memory via XRSTOR or FXRSTOR when there is no pending unmasked exception. See XSA-52. However, this workaround does not cover al...
Linux: netback fails to honor grant mapping errors
ISSUE DESCRIPTION XSA-362 tried to address issues here, but in the case of the netback driver the changes were insufficient: It left the relevant function invocation with, effectively, no error handling at all. As a result, memory allocation failures there could still lead to frontend-induced...
Use after free triggered by block frontend in Linux blkback
ISSUE DESCRIPTION The Linux kernel PV block backend expects the kernel thread handler to reset ring-xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggle between the states connect and disconnect. As a consequence, the block backend may re-use ...
xenstore watch notifications lacking permission checks
ISSUE DESCRIPTION Neither xenstore implementation does any permissions checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified and deleted key. A guest administrator can also use the special...
Linux: backends treating grant mapping errors as bugs
ISSUE DESCRIPTION Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests, like out of memory conditions, it isn't correct to assume so. Memory allocations potentially causing such...
Certain domctl operations may be abused to lock up the host
ISSUE DESCRIPTION XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was not...
qemu disk backend (qdisk) resource leak
ISSUE DESCRIPTION The qdisk PV disk backend in the qemu-xen flavour of qemu "upstream qemu" can be influenced by a malicious frontend to leak mapped grant references. IMPACT A malicious HVM guest can cause the backend domain to run out of grant references, leading to a DoS for any other domain...
nested virtualization on 32-bit exposes host crash
ISSUE DESCRIPTION When performing nested virtualisation Xen would incorrectly map guest pages for extended periods using an interface which is only intended for transient mappings. In some configurations there are a limited number of slots available for these transient mappings and exhausting the...
passed through PCI devices may corrupt host memory after deassignment
ISSUE DESCRIPTION When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the...
Non-maskable interrupts triggerable by guests
ISSUE DESCRIPTION Guests are currently permitted to modify all of the writable bits in the PCI command register of devices passed through to them. This in particular allows them to disable memory and I/O decoding on the device unless the device is an SR-IOV virtual function, in which case...
missing descriptor table limit checking in x86 PV emulation
ISSUE DESCRIPTION When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through...
vulnerability in the iret hypercall handler
ISSUE DESCRIPTION A buggy loop in Xen's compatiret function iterates the wrong way around a 32-bit index. Any 32-bit PV guest kernel can trigger this vulnerability by attempting a hypercalliret with EFLAGS.VM set. Given the use of get/putuser, and that the virtual addresses in question are...
libxl partially sets up HVM passthrough even with disabled iommu
ISSUE DESCRIPTION With HVM domains, libxl's setup of PCI passthrough devices does the IOMMU setup after giving via the device model the guest access to the hardware and advertising it to the guest. If the IOMMU is disabled the overall setup fails, but after the device has been made available to t...
VMX: VMentry failure with debug exceptions and blocked states
ISSUE DESCRIPTION Please see XSA-260 for background on the MovSS shadow: http://xenbits.xen.org/xsa/advisory-260.html Please see XSA-156 for background on the need for DB interception: http://xenbits.xen.org/xsa/advisory-156.html The VMX VMEntry checks does not like the exact combination of state...