482 matches found
information leak in legacy x86 FPU/XMM initialization
ISSUE DESCRIPTION When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers. IMPACT A malicious domain may be able to leverage...
qemu-nbd format-guessing due to missing format specification
ISSUE DESCRIPTION The qemu-nbd tool shipped in the Xen hypervisor tools distribution as qemu-nbd-xen autodetects the image format. If a particular disk image is intended to be raw, a guest operating system administrator could write a header to the image, describing another format than original on...
VT-d interrupt remapping source validation flaw
ISSUE DESCRIPTION When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by...
Linear pagetable use / entry miscounts
ISSUE DESCRIPTION "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level i.e., L...
Guest triggerable qemu MSI-X pass-through error messages
ISSUE DESCRIPTION Device model code dealing with guest PCI MSI-X interrupt management activities logs messages on certain supposedly invalid guest operations. IMPACT A buggy or malicious guest repeatedly invoking such operations may result in the host disk to fill up, possibly leading to a Denial...
Guest triggerable AMD CPU erratum may cause host hang
ISSUE DESCRIPTION AMD CPU erratum 793 "Specific Combination of Writes to Write Combined Memory Types and Locked Instructions May Cause Core Hang" describes a situation under which a CPU core may hang. IMPACT A malicious guest administrator can mount a denial of service attack affecting the whole...
qemu (e1000 device driver): Buffer overflow when processing large packets
SUMMARY AND SOURCES OF INFORMATION An issue in qemu has been disclosed which we believe affects some users of Xen. The Qemu project has not itself issued an advisory. More information may be available in the advisories published by the distros: https://bugzilla.redhat.com/showbug.cgi?id=889301...
Missing memory barriers in read-write unlock paths
ISSUE DESCRIPTION The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. ...
PV superpage functionality missing sanity checks
ISSUE DESCRIPTION The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier MFN passed to MMUEXTMARKSUPER and MMUEXTUNMARKSUPER sub-ops of the HYPERVISORmmuextop hypercall as well as for various forms of...
Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
ISSUE DESCRIPTION The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when the instruction's memory operand if any lives in emulated or passed...
ARM: Interrupts are unconditionally unmasked in exception handlers
ISSUE DESCRIPTION When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. IMPACT A malicious guest...
Hypervisor crash due to missing exception recovery on XRSTOR
ISSUE DESCRIPTION Processors do certain validity checks on the data passed to XRSTOR. While the hypervisor controls the placement of that memory block, it doesn't restrict the contents in any way. Thus the hypervisor exposes itself to a fault occurring on XRSTOR. Other than for FXRSTOR, which...
add-to-physmap can be abused to DoS Arm hosts
ISSUE DESCRIPTION p2m-maxmappedgfn is used by the functions p2mresolvetranslationfault and p2mgetentry to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUGON. The function p2mgetrootpointer will ignore...
Issues with restartable PV type change operations
ISSUE DESCRIPTION To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be "promoted" before being used...
Multiple speculative security issues
ISSUE DESCRIPTION Note: Multiple issues are contained in this XSA due to their interactions. 1 Researchers at VU Amsterdam have discovered Spectre-BHB, pertaining to the use of Branch History between privilege levels. ARM have assigned CVE-2022-23960. Intel have assigned CVE-2022-0001 Branch...
Linux: special config may crash when trying to map foreign pages
ISSUE DESCRIPTION With CONFIGXENBALLOONMEMORYHOTPLUG disabled and CONFIGXENUNPOPULATEDALLOC enabled the Linux kernel will use guest physical addresses allocated via the ZONEDEVICE functionality for mapping foreign guest's pages. This will result in problems, as the p2m list will only cover the...
VMX: intercept issue with INVLPG on non-canonical address
ISSUE DESCRIPTION While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check...
xen crash due to use after free on hvm guest teardown
ISSUE DESCRIPTION Certain data accessible via hypercalls by the domain controlling the execution of a HVM domain is being freed prematurely, leading to the respective memory regions to possibly be read from and written to in ways unexpected by their new owners. IMPACT Malicious or buggy stub doma...
misplaced free in ocaml xc_vcpu_getaffinity stub
ISSUE DESCRIPTION The ocaml binding for the xcvcpugetaffinity function incorrectly frees a pointer before using it and subsequently freeing it again afterwards. The code therefore contains a use-after-free and double-free flaws. IMPACT An attacker may be able to cause a multithreaded toolstack...
Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS.
ISSUE DESCRIPTION Linux kernel when returning from an iret assumes that %ds segment is safe and uses it to reference various per-cpu related fields. Unfortunately the user can modify the LDT and provide a NULL one. Whenever an iret is called we end up in xeniret and try to use the %ds segment and...
Linux netback DoS via malicious guest ring.
ISSUE DESCRIPTION The Xen netback implementation contains a couple of flaws which can allow a guest to cause a DoS in the backend domain, potentially affecting other domains in the system. CVE-2013-0216 is a failure to sanity check the ring producer/consumer pointers which can allow a guest to...
x86: Register File Data Sampling
ISSUE DESCRIPTION Intel have disclosed RFDS, Register File Data Sampling, affecting some Atom cores. This came from internal validation work. There is no information provided about how an attacker might go about inferring data from the register files. For more details, see:...
missed flush in XSA-321 backport
ISSUE DESCRIPTION An oversight was made when backporting XSA-321, leading entries in the IOMMU not being properly updated under certain circumstances. IMPACT A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose...
hugetlbfs use may crash PV Linux guests
ISSUE DESCRIPTION Huge 2Mb pages are generally unavailable to PV guests. Since x86 Linux pvops-based kernels are generally multi purpose, they would normally be built with hugetlbfs support enabled. Use of that functionality by an application in a PV guest would cause an infinite page fault loop,...
HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak
ISSUE DESCRIPTION The HVMOPsetmemaccess operation handler uses an input as an array index before range checking it. IMPACT A malicious guest administrator can cause Xen to crash. If the out of array bounds access does not crash, the arbitrary value read will be used if the caller reads back the...
VMX: guest user mode may crash guest with non-canonical RIP
ISSUE DESCRIPTION VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information specifies ...
Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
ISSUE DESCRIPTION Acceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component. IMPACT A buggy or malicious HVM gues...
find_next_bit() issues
ISSUE DESCRIPTION In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: - On 32-bit Arm accesses to bitmaps with bit a count which is a multiple of 32, an out of bounds access...
Device quarantine for alternate pci assignment methods
ISSUE DESCRIPTION XSA-302 relies on the use of libxl's "assignable-add" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of...
Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
ISSUE DESCRIPTION xenfailsafecallback incorrectly sets up its stack if an iret fault is injected by the hypervisor. IMPACT Malicious or buggy unprivileged userspace can cause the guest kernel to crash, or operate erroneously. VULNERABLE SYSTEMS All 32bit PVOPS versions of Linux are affected, sinc...
Broken error handling in guest_physmap_mark_populate_on_demand()
ISSUE DESCRIPTION guestphysmapmarkpopulateondemand, before carrying out its actual operation, checks that the subject GFNs are not in use. If that check fails, the code prints a message and bypasses the gfnunlock matching the gfnlock carried out before entering the loop. Further, the function is...
network backend may cause Linux netfront to use freed SKBs
ISSUE DESCRIPTION While adding logic to support XDP eXpress Data Path, a code label was moved in a way allowing for SKBs having references pointers retained for further processing to nevertheless be freed. IMPACT A misbehaving or malicious backend may cause a Denial of Service DoS in the guest...
Linux: blkback driver may leak persistent grants
ISSUE DESCRIPTION The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup...
Information leak through version information hypercall
ISSUE DESCRIPTION The code handling certain sub-operations of the HYPERVISORxenversion hypercall fails to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents are copied into the destination of the operation, thus becoming visib...
information leak via gnttab_setup_table on ARM
ISSUE DESCRIPTION When initialising an internal data structure on ARM platform Xen was not correctly initialising the memory containing the list of a domain's grant table pages. This list is returned by the GNTTABOPsetuptable subhypercall, leading to an information leak. IMPACT Malicious guest...
insufficient permissions checks accessing guest memory on ARM
ISSUE DESCRIPTION When accessing guest memory Xen does not correctly perform permissions checks on the possibly guest provided virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it shoul...
VCPUOP_initialise DoS
ISSUE DESCRIPTION hypercallcreatecontinuation is a variadic function which uses a printf-like format string to interpret its parameters. Error handling for a bad format character was done using BUG, which crashes Xen. One path, via the VCPUOPinitialise hypercall, has a bad format character. The B...
HVMOP_set_mem_access is not preemptible
ISSUE DESCRIPTION Processing of the HVMOPsetmemaccess HVM control operations does not check the size of its input and can tie up a physical CPU for extended periods of time. IMPACT In a configuration where device models run with limited privilege for example, stubdom device models, a guest attack...
several HVM operations do not validate the range of their inputs
ISSUE DESCRIPTION Several HVM control operations do not check the size of their inputs and can tie up a physical CPU for extended periods of time. In addition dirty video RAM tracking involves clearing the bitmap provided by the domain controlling the guest e.g. dom0 or a stubdom. If the size of...
Linux: grant mapping error handling issues
ISSUE DESCRIPTION Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the...
Bugs in dynamic height handling for AMD IOMMU pagetables
ISSUE DESCRIPTION When running on AMD systems with an IOMMU, Xen attempted to dynamically adapt the number of levels of pagetables the pagetable height in the IOMMU according to the guest's address space size. The code to select and update the height had several bugs. Notably, the update was done...
Unsanitised guest input in libxl device handling code
ISSUE DESCRIPTION Various parts of libxl device-handling code inappropriately use information from partially guest controlled areas of xenstore principally the frontend directory /local/domain/GUEST/device/TYPE/DEVID, henceforth referred to as FE. The problems vary by device type: For almost all...
xl command line config handling stack overflow
ISSUE DESCRIPTION The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun. VULNERABLE SYSTEMS Systems built on top of xl which pass laundered or checked but otherwise untrusted configuration values onto xl's command line, witho...
HVMOP_set_mem_type allows invalid P2M entries to be created
ISSUE DESCRIPTION The implementation in Xen of the HVMOPsetmemtype HVM control operations attempts to exclude transitioning a page from an inappropriate memory type. However, only an inadequate subset of memory types is excluded. There are certain other types that don't correspond to a particular...
Potential use of freed memory in event channel operations
ISSUE DESCRIPTION Wrong ordering of operations upon extending the per-domain event channel tracking table can cause a pointer to freed memory to be left in place, when the hypervisor is under memory pressure and XSM Xen Security Module is enabled. IMPACT Malicious guest kernels could inject...
Linux: error handling issues in blkback's grant mapping
ISSUE DESCRIPTION To service requests, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent...
Heap overflow in QEMU PCNET controller, allowing guest->host escape
ISSUE DESCRIPTION The QEMU security team has predisclosed the following advisory: pcnettransmit loads a transmit-frame descriptor from the guest into the /tmd/ local variable to recover a length field, a status field and a guest-physical location of the associated frame buffer. If the status fiel...
Long latency MMIO mapping operations are not preemptible
ISSUE DESCRIPTION The XENDOMCTLmemorymapping hypercall allows long running operations without implementing preemption. This hypercall is used by the device model as part of the emulation associated with configuration of PCI devices passed through to HVM guests and is therefore indirectly exposed ...
HVM qemu unexpectedly enabling emulated VGA graphics backends
ISSUE DESCRIPTION When instantiating an emulated VGA device for an x86 HVM guest qemu will by default enable a backend to expose that device, either SDL or VNC depending on the version of qemu and the build time configuration. The libxl toolstack library does not explicitly disable these default...
x86: MMIO Stale Data vulnerabilities
ISSUE DESCRIPTION This issue is related to the SRBDS, TAA and MDS vulnerabilities. Please see: https://xenbits.xen.org/xsa/advisory-320.html SRBDS https://xenbits.xen.org/xsa/advisory-305.html TAA https://xenbits.xen.org/xsa/advisory-297.html MDS Please see Intel's whitepaper:...