Lucene search
K
XenMost viewed

482 matches found

Xen Project
Xen Project
•added 2015/12/17 12:0 p.m.•92 views

information leak in legacy x86 FPU/XMM initialization

ISSUE DESCRIPTION When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers. IMPACT A malicious domain may be able to leverage...

8.6CVSS7.5AI score0.02254EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/04/15 3:0 p.m.•92 views

qemu-nbd format-guessing due to missing format specification

ISSUE DESCRIPTION The qemu-nbd tool shipped in the Xen hypervisor tools distribution as qemu-nbd-xen autodetects the image format. If a particular disk image is intended to be raw, a guest operating system administrator could write a header to the image, describing another format than original on...

3.3CVSS0.00344EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/01/08 12:0 p.m.•92 views

VT-d interrupt remapping source validation flaw

ISSUE DESCRIPTION When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by...

6.1CVSS2.3AI score0.00716EPSS
Exploits0
Xen Project
Xen Project
•added 2019/12/11 12:0 p.m.•90 views

Linear pagetable use / entry miscounts

ISSUE DESCRIPTION "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level i.e., L...

8.8CVSS0.0039EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/06/02 12:0 p.m.•90 views

Guest triggerable qemu MSI-X pass-through error messages

ISSUE DESCRIPTION Device model code dealing with guest PCI MSI-X interrupt management activities logs messages on certain supposedly invalid guest operations. IMPACT A buggy or malicious guest repeatedly invoking such operations may result in the host disk to fill up, possibly leading to a Denial...

4.9CVSS8AI score0.00478EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/12/02 5:13 p.m.•90 views

Guest triggerable AMD CPU erratum may cause host hang

ISSUE DESCRIPTION AMD CPU erratum 793 "Specific Combination of Writes to Write Combined Memory Types and Locked Instructions May Cause Core Hang" describes a situation under which a CPU core may hang. IMPACT A malicious guest administrator can mount a denial of service attack affecting the whole...

4.7CVSS2.2AI score0.00588EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/01/16 2:50 p.m.•90 views

qemu (e1000 device driver): Buffer overflow when processing large packets

SUMMARY AND SOURCES OF INFORMATION An issue in qemu has been disclosed which we believe affects some users of Xen. The Qemu project has not itself issued an advisory. More information may be available in the advisories published by the distros: https://bugzilla.redhat.com/showbug.cgi?id=889301...

9.3CVSS0.4AI score0.04904EPSS
Exploits0
Xen Project
Xen Project
•added 2020/04/14 12:0 p.m.•89 views

Missing memory barriers in read-write unlock paths

ISSUE DESCRIPTION The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. ...

7.8CVSS1.8AI score0.00288EPSS
Exploits0
Xen Project
Xen Project
•added 2016/01/20 12:0 p.m.•89 views

PV superpage functionality missing sanity checks

ISSUE DESCRIPTION The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier MFN passed to MMUEXTMARKSUPER and MMUEXTUNMARKSUPER sub-ops of the HYPERVISORmmuextop hypercall as well as for various forms of...

8.5CVSS1.3AI score0.01153EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/09/23 12:0 p.m.•90 views

Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation

ISSUE DESCRIPTION The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when the instruction's memory operand if any lives in emulated or passed...

5.8CVSS4.8AI score0.00968EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/10/31 12:0 p.m.•88 views

ARM: Interrupts are unconditionally unmasked in exception handlers

ISSUE DESCRIPTION When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. IMPACT A malicious guest...

8.8CVSS2.3AI score0.01817EPSS
Exploits0
Xen Project
Xen Project
•added 2013/06/03 12:0 p.m.•88 views

Hypervisor crash due to missing exception recovery on XRSTOR

ISSUE DESCRIPTION Processors do certain validity checks on the data passed to XRSTOR. While the hypervisor controls the placement of that memory block, it doesn't restrict the contents in any way. Thus the hypervisor exposes itself to a fault occurring on XRSTOR. Other than for FXRSTOR, which...

5.2CVSS1.7AI score0.00531EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/10/31 12:0 p.m.•87 views

add-to-physmap can be abused to DoS Arm hosts

ISSUE DESCRIPTION p2m-maxmappedgfn is used by the functions p2mresolvetranslationfault and p2mgetentry to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUGON. The function p2mgetrootpointer will ignore...

8.8CVSS0.6AI score0.02059EPSS
Exploits0
Xen Project
Xen Project
•added 2019/10/31 12:0 p.m.•87 views

Issues with restartable PV type change operations

ISSUE DESCRIPTION To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be "promoted" before being used...

7.5CVSS0.5AI score0.01679EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/03/08 6:16 p.m.•86 views

Multiple speculative security issues

ISSUE DESCRIPTION Note: Multiple issues are contained in this XSA due to their interactions. 1 Researchers at VU Amsterdam have discovered Spectre-BHB, pertaining to the use of Branch History between privilege levels. ARM have assigned CVE-2022-23960. Intel have assigned CVE-2022-0001 Branch...

6.5CVSS0.2AI score0.00508EPSS
Exploits0
Xen Project
Xen Project
•added 2021/03/04 10:58 a.m.•86 views

Linux: special config may crash when trying to map foreign pages

ISSUE DESCRIPTION With CONFIGXENBALLOONMEMORYHOTPLUG disabled and CONFIGXENUNPOPULATEDALLOC enabled the Linux kernel will use guest physical addresses allocated via the ZONEDEVICE functionality for mapping foreign guest's pages. This will result in problems, as the p2m list will only cover the...

6.5CVSS0.7AI score0.00424EPSS
Exploits0
Xen Project
Xen Project
•added 2016/01/20 12:0 p.m.•86 views

VMX: intercept issue with INVLPG on non-canonical address

ISSUE DESCRIPTION While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check...

6.3CVSS0.1AI score0.01277EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/01/06 12:0 p.m.•87 views

xen crash due to use after free on hvm guest teardown

ISSUE DESCRIPTION Certain data accessible via hypercalls by the domain controlling the execution of a HVM domain is being freed prematurely, leading to the respective memory regions to possibly be read from and written to in ways unexpected by their new owners. IMPACT Malicious or buggy stub doma...

7.8CVSS8.8AI score0.02513EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/10/10 12:0 p.m.•86 views

misplaced free in ocaml xc_vcpu_getaffinity stub

ISSUE DESCRIPTION The ocaml binding for the xcvcpugetaffinity function incorrectly frees a pointer before using it and subsequently freeing it again afterwards. The code therefore contains a use-after-free and double-free flaws. IMPACT An attacker may be able to cause a multithreaded toolstack...

4.6CVSS0.8AI score0.00429EPSS
Exploits0
Xen Project
Xen Project
•added 2013/02/12 12:0 p.m.•86 views

Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS.

ISSUE DESCRIPTION Linux kernel when returning from an iret assumes that %ds segment is safe and uses it to reference various per-cpu related fields. Unfortunately the user can modify the LDT and provide a NULL one. Whenever an iret is called we end up in xeniret and try to use the %ds segment and...

6.2CVSS1.2AI score0.00394EPSS
Exploits1
Xen Project
Xen Project
•added 2013/02/05 12:0 p.m.•86 views

Linux netback DoS via malicious guest ring.

ISSUE DESCRIPTION The Xen netback implementation contains a couple of flaws which can allow a guest to cause a DoS in the backend domain, potentially affecting other domains in the system. CVE-2013-0216 is a failure to sanity check the ring producer/consumer pointers which can allow a guest to...

5.2CVSS2.2AI score0.00988EPSS
Exploits1
Xen Project
Xen Project
•added 2024/03/12 5:6 p.m.•85 views

x86: Register File Data Sampling

ISSUE DESCRIPTION Intel have disclosed RFDS, Register File Data Sampling, affecting some Atom cores. This came from internal validation work. There is no information provided about how an attacker might go about inferring data from the register files. For more details, see:...

6.5CVSS6.6AI score0.00546EPSS
Exploits0
Xen Project
Xen Project
•added 2021/02/18 11:47 a.m.•85 views

missed flush in XSA-321 backport

ISSUE DESCRIPTION An oversight was made when backporting XSA-321, leading entries in the IOMMU not being properly updated under certain circumstances. IMPACT A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose...

7.8CVSS0.9AI score0.00356EPSS
Exploits0
Xen Project
Xen Project
•added 2016/04/14 12:0 p.m.•85 views

hugetlbfs use may crash PV Linux guests

ISSUE DESCRIPTION Huge 2Mb pages are generally unavailable to PV guests. Since x86 Linux pvops-based kernels are generally multi purpose, they would normally be built with hugetlbfs support enabled. Use of that functionality by an application in a PV guest would cause an infinite page fault loop,...

5.5CVSS6.3AI score0.0051EPSS
Exploits0
Xen Project
Xen Project
•added 2012/12/03 5:51 p.m.•85 views

HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak

ISSUE DESCRIPTION The HVMOPsetmemaccess operation handler uses an input as an array index before range checking it. IMPACT A malicious guest administrator can cause Xen to crash. If the out of array bounds access does not crash, the arbitrary value read will be used if the caller reads back the...

3.2CVSS1.6AI score0.00406EPSS
Exploits0
Xen Project
Xen Project
•added 2016/02/17 12:0 p.m.•84 views

VMX: guest user mode may crash guest with non-canonical RIP

ISSUE DESCRIPTION VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information specifies ...

5.5CVSS6.7AI score0.00391EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/11/27 11:25 a.m.•84 views

Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor

ISSUE DESCRIPTION Acceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component. IMPACT A buggy or malicious HVM gues...

4.9CVSS9AI score0.00465EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/12/11 12:0 p.m.•83 views

find_next_bit() issues

ISSUE DESCRIPTION In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: - On 32-bit Arm accesses to bitmaps with bit a count which is a multiple of 32, an out of bounds access...

6.5CVSS0.9AI score0.00378EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/11/26 12:0 p.m.•83 views

Device quarantine for alternate pci assignment methods

ISSUE DESCRIPTION XSA-302 relies on the use of libxl's "assignable-add" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of...

7.2CVSS1.3AI score0.00451EPSS
Exploits0
Xen Project
Xen Project
•added 2013/01/16 2:50 p.m.•83 views

Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests.

ISSUE DESCRIPTION xenfailsafecallback incorrectly sets up its stack if an iret fault is injected by the hypervisor. IMPACT Malicious or buggy unprivileged userspace can cause the guest kernel to crash, or operate erroneously. VULNERABLE SYSTEMS All 32bit PVOPS versions of Linux are affected, sinc...

4.9CVSS3.9AI score0.00366EPSS
Exploits0
Xen Project
Xen Project
•added 2012/12/03 5:51 p.m.•83 views

Broken error handling in guest_physmap_mark_populate_on_demand()

ISSUE DESCRIPTION guestphysmapmarkpopulateondemand, before carrying out its actual operation, checks that the subject GFNs are not in use. If that check fails, the code prints a message and bypasses the gfnunlock matching the gfnlock carried out before entering the loop. Further, the function is...

4.7CVSS0.9AI score0.00411EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/07/05 12:0 p.m.•81 views

network backend may cause Linux netfront to use freed SKBs

ISSUE DESCRIPTION While adding logic to support XDP eXpress Data Path, a code label was moved in a way allowing for SKBs having references pointers retained for further processing to nevertheless be freed. IMPACT A misbehaving or malicious backend may cause a Denial of Service DoS in the guest...

7.8CVSS7.7AI score0.00349EPSS
Exploits0
Xen Project
Xen Project
•added 2021/03/30 12:0 p.m.•81 views

Linux: blkback driver may leak persistent grants

ISSUE DESCRIPTION The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup...

6.5CVSS7.1AI score0.00332EPSS
Exploits0
Xen Project
Xen Project
•added 2015/03/05 12:0 p.m.•81 views

Information leak through version information hypercall

ISSUE DESCRIPTION The code handling certain sub-operations of the HYPERVISORxenversion hypercall fails to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents are copied into the destination of the operation, thus becoming visib...

2.1CVSS6.6AI score0.00466EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/06/25 12:0 p.m.•81 views

information leak via gnttab_setup_table on ARM

ISSUE DESCRIPTION When initialising an internal data structure on ARM platform Xen was not correctly initialising the memory containing the list of a domain's grant table pages. This list is returned by the GNTTABOPsetuptable subhypercall, leading to an information leak. IMPACT Malicious guest...

2.7CVSS6.3AI score0.00542EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/06/04 12:0 p.m.•81 views

insufficient permissions checks accessing guest memory on ARM

ISSUE DESCRIPTION When accessing guest memory Xen does not correctly perform permissions checks on the possibly guest provided virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it shoul...

7.4CVSS6.6AI score0.00653EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2019/10/31 12:0 p.m.•80 views

VCPUOP_initialise DoS

ISSUE DESCRIPTION hypercallcreatecontinuation is a variadic function which uses a printf-like format string to interpret its parameters. Error handling for a bad format character was done using BUG, which crashes Xen. One path, via the VCPUOPinitialise hypercall, has a bad format character. The B...

6.5CVSS1.8AI score0.02522EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/03/25 12:0 p.m.•80 views

HVMOP_set_mem_access is not preemptible

ISSUE DESCRIPTION Processing of the HVMOPsetmemaccess HVM control operations does not check the size of its input and can tie up a physical CPU for extended periods of time. IMPACT In a configuration where device models run with limited privilege for example, stubdom device models, a guest attack...

4.9CVSS5.9AI score0.00399EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2012/12/03 5:51 p.m.•80 views

several HVM operations do not validate the range of their inputs

ISSUE DESCRIPTION Several HVM control operations do not check the size of their inputs and can tie up a physical CPU for extended periods of time. In addition dirty video RAM tracking involves clearing the bitmap provided by the domain controlling the guest e.g. dom0 or a stubdom. If the size of...

4.7CVSS1.8AI score0.00435EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/02/16 12:0 p.m.•79 views

Linux: grant mapping error handling issues

ISSUE DESCRIPTION Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the...

5.5CVSS6.2AI score0.00346EPSS
Exploits0
Xen Project
Xen Project
•added 2019/12/11 12:0 p.m.•79 views

Bugs in dynamic height handling for AMD IOMMU pagetables

ISSUE DESCRIPTION When running on AMD systems with an IOMMU, Xen attempted to dynamically adapt the number of levels of pagetables the pagetable height in the IOMMU according to the guest's address space size. The code to select and update the height had several bugs. Notably, the update was done...

7.2CVSS0.3AI score0.00503EPSS
Exploits0
Xen Project
Xen Project
•added 2016/06/02 12:0 p.m.•79 views

Unsanitised guest input in libxl device handling code

ISSUE DESCRIPTION Various parts of libxl device-handling code inappropriately use information from partially guest controlled areas of xenstore principally the frontend directory /local/domain/GUEST/device/TYPE/DEVID, henceforth referred to as FE. The problems vary by device type: For almost all...

6.8CVSS0.5AI score0.00399EPSS
Exploits0
Xen Project
Xen Project
•added 2015/07/07 12:0 p.m.•79 views

xl command line config handling stack overflow

ISSUE DESCRIPTION The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun. VULNERABLE SYSTEMS Systems built on top of xl which pass laundered or checked but otherwise untrusted configuration values onto xl's command line, witho...

6.8CVSS7.5AI score0.00394EPSS
Exploits0
Xen Project
Xen Project
•added 2014/04/29 8:50 a.m.•79 views

HVMOP_set_mem_type allows invalid P2M entries to be created

ISSUE DESCRIPTION The implementation in Xen of the HVMOPsetmemtype HVM control operations attempts to exclude transitioning a page from an inappropriate memory type. However, only an inadequate subset of memory types is excluded. There are certain other types that don't correspond to a particular...

6.7CVSS6.1AI score0.0081EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/04/04 5:54 p.m.•79 views

Potential use of freed memory in event channel operations

ISSUE DESCRIPTION Wrong ordering of operations upon extending the per-domain event channel tracking table can cause a pointer to freed memory to be left in place, when the hypervisor is under memory pressure and XSM Xen Security Module is enabled. IMPACT Malicious guest kernels could inject...

4.4CVSS0.8AI score0.00401EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/02/16 12:0 p.m.•78 views

Linux: error handling issues in blkback's grant mapping

ISSUE DESCRIPTION To service requests, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent...

7.8CVSS7.6AI score0.00348EPSS
Exploits0
Xen Project
Xen Project
•added 2015/06/10 1:10 p.m.•78 views

Heap overflow in QEMU PCNET controller, allowing guest->host escape

ISSUE DESCRIPTION The QEMU security team has predisclosed the following advisory: pcnettransmit loads a transmit-frame descriptor from the guest into the /tmd/ local variable to recover a length field, a status field and a guest-physical location of the associated frame buffer. If the status fiel...

7.5CVSS6.5AI score0.09668EPSS
Exploits0
Xen Project
Xen Project
•added 2015/03/31 12:0 p.m.•78 views

Long latency MMIO mapping operations are not preemptible

ISSUE DESCRIPTION The XENDOMCTLmemorymapping hypercall allows long running operations without implementing preemption. This hypercall is used by the device model as part of the emulation associated with configuration of PCI devices passed through to HVM guests and is therefore indirectly exposed ...

4.9CVSS6.4AI score0.00453EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/03/12 12:0 p.m.•78 views

HVM qemu unexpectedly enabling emulated VGA graphics backends

ISSUE DESCRIPTION When instantiating an emulated VGA device for an x86 HVM guest qemu will by default enable a backend to expose that device, either SDL or VNC depending on the version of qemu and the build time configuration. The libxl toolstack library does not explicitly disable these default...

1.9CVSS9.4AI score0.00419EPSS
Exploits0
Xen Project
Xen Project
•added 2022/06/14 6:26 p.m.•77 views

x86: MMIO Stale Data vulnerabilities

ISSUE DESCRIPTION This issue is related to the SRBDS, TAA and MDS vulnerabilities. Please see: https://xenbits.xen.org/xsa/advisory-320.html SRBDS https://xenbits.xen.org/xsa/advisory-305.html TAA https://xenbits.xen.org/xsa/advisory-297.html MDS Please see Intel's whitepaper:...

5.5CVSS1.9AI score0.06451EPSS
Exploits0
Total number of security vulnerabilities482