482 matches found
x86 segment base write emulation lacking canonical address checks
ISSUE DESCRIPTION Both writes to the FS and GS register base MSRs as well as the WRFSBASE and WRGSBASE instructions require their input values to be canonical, or a GP fault will be raised. When the use of those instructions by the hypervisor was enabled, the previous guard against GP faults havi...
arm: various unimplemented hypercalls log without rate limiting
ISSUE DESCRIPTION The HYPERVISORphysdevop hypercall and most suboperations of the HYPERVISORhvmop hypercall are not currently implemented by Xen on ARM and when called will log the use to the hypervisor console. However these guest accessible log messages are not rate-limited. IMPACT A malicious...
Nested HVM exposes host to being driven out of memory by guest
ISSUE DESCRIPTION Guests are currently permitted to enable nested virtualization on themselves. Missing error handling cleanup in the handling code makes it possible for a guest, particularly a multi-vCPU one, to repeatedly invoke this operation, thus causing a leak of - over time - unbounded...
Xenstore: guests can let run xenstored out of memory
ISSUE DESCRIPTION Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service DoS of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the...
multiple xenoprof issues
ISSUE DESCRIPTION Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed. This is CVE-2020-11740. Furthermore, for guests for which "active" profiling was enabled by the administrator, the xenoprof code use...
grant transfer allows PV guest to elevate privileges
ISSUE DESCRIPTION The GNTTABOPtransfer operation allows one guest to transfer a page to another guest. The internal processing of this, however, does not include zapping the previous type of the page being transferred. This makes it possible for a PV guest to transfer a page previously used as pa...
heap buffer overflow vulnerability in pcnet emulator
ISSUE DESCRIPTION The QEMU security team has predisclosed the following advisory: The AMD PC-Net II emulatorhw/net/pcnet.c, while receiving packets in loopback mode, appends CRC code to the receive buffer. If the data size given is same as the buffer size4096, the appended CRC code overwrites 4...
x86: CPU lockup during exception delivery
ISSUE DESCRIPTION When a benign exception occurs while delivering another benign exception, it is architecturally specified that these would be delivered sequentially. There are, however, cases where this results in an infinite loop inside the CPU, which in the virtualized case can be broken only...
x86: Long latency populate-on-demand operation is not preemptible
ISSUE DESCRIPTION When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain. This search runs without preemption. The guest can, by suitable arrangement of its memory...
Host crash due to guest VMX instruction execution
ISSUE DESCRIPTION Permission checks on the emulation paths intended for guests using nested virtualization for VMLAUNCH and VMRESUME were deferred too much. The hypervisor would try to use internal state which is not set up unless nested virtualization is actually enabled for a guest. IMPACT A...
Further issues with restartable PV type change operations
ISSUE DESCRIPTION XSA-299 addressed several critical issues in restartable PV type change operations. Despite extensive testing and auditing, some corner cases were missed. IMPACT A malicious PV guest administrator may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS Al...
cirrus_bitblt_cputovideo does not check if memory region is safe
ISSUE DESCRIPTION In CIRRUSBLTMODEMEMSYSSRC mode the bitblit copy routine cirrusbitbltcputovideo fails to check wethehr the specified memory region is safe. IMPACT A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation. VULNERABL...
p2m lock starvation
ISSUE DESCRIPTION The current read/write lock implementation is read-biased, which allows a consistent stream of readers to starve writers indefinitely. There are certain rwlocks where guests are capable of applying arbitrary read pressure. IMPACT A malicious guest administrator can deny service ...
ocaml xenstored mishandles oversized message replies
ISSUE DESCRIPTION The Ocaml xenstored implementation "oxenstored" cannot correctly handle a message reply larger than XENSTOREPAYLOADSIZE when communicating with a client domain via the shared ring mechanism. When this situation occurs the connection to the client domain will be shutdown and cann...
I/O port access privilege escalation in x86-64 Linux
ISSUE DESCRIPTION IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 for 64-bit ones; 32-bit ones run at privilege level 1, to compensate for this the context switching of EFLAGS.IOPL requires the guest ...
QEMU heap overflow flaw while processing certain ATAPI commands.
ISSUE DESCRIPTION The QEMU security team has predisclosed the following advisory: A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with CDROM drive enabled could potentially use thi...
Unmediated PCI register access in qemu
ISSUE DESCRIPTION Qemu allows guests to not only read, but also write all parts of the PCI config space but not extended config space of passed through PCI devices not explicitly dealt with for partial emulation purposes. IMPACT Since the effect depends on the specific purpose of the the config...
Information leak via internal x86 system device emulation
ISSUE DESCRIPTION Emulation routines in the hypervisor dealing with certain system devices check whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor sta...
grant table hypercall acquire/release imbalance
ISSUE DESCRIPTION When releasing a non-v1 non-transitive grant after doing a grant copy operation, Xen incorrectly recurses as if for a transitive grant and releases an unrelated grant reference. IMPACT A malicious guest administrator can cause undefined behaviour; depending on the dom0 kernel a...
x86/AMD: Divide speculative information leak
ISSUE DESCRIPTION In the Zen1 microarchitecure, there is one divider in the pipeline which services uops from both threads. In the case of DE, the latched result from the previous DIV to execute will be forwarded speculatively. This is a covert channel that allows two threads to communicate witho...
Guest can force Linux netback driver to hog large amounts of kernel memory
ISSUE DESCRIPTION Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side ...
use-after-free in xc_cpupool_getinfo() under memory pressure
ISSUE DESCRIPTION If xccpumapalloc fails then xccpupoolgetinfo will free and incorrectly return the then-free pointer to the result structure. IMPACT An attacker may be able to cause a multi-threaded toolstack using this function to race against itself leading to heap corruption and a potential...
Lock order reversal between page_alloc_lock and mm_rwlock
ISSUE DESCRIPTION The locks pagealloclock and mmrwlock are not always taken in the same order. This raises the possibility of deadlock. The incorrect order occurs only in the implementation of the deprecated domctl hypercall XENDOMCTLgetmemlist. IMPACT A malicious guest administrator may be able ...
GhostRace: Speculative Race Conditions
ISSUE DESCRIPTION Researchers at VU Amsterdam and IBM Research have discovered GhostRace; an analysis of the behaviour of synchronisation primitives under speculative execution. Synchronisation primitives are typically formed as an unbounded loop which waits until a resource is available to be...
x86 shadow paging arbitrary pointer dereference
ISSUE DESCRIPTION In environments where host assisted address translation is necessary but Hardware Assisted Paging HAP is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handling it is possible for a guest...
Guest triggered use-after-free in Linux xen-netback
ISSUE DESCRIPTION A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux...
Hypercalls exposed to privilege rings 1 and 2 of HVM guests
ISSUE DESCRIPTION The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through. IMPACT Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful...
Memory accessible by 64-bit PV guests under live migration
ISSUE DESCRIPTION On some hardware, during live migration of 64-bit PV guests, some parts of the guest's shadow pagetables are mistakenly filled in with hypervisor mappings. This causes Xen to crash when those mappings are later cleared. Before the crash, a malicious guest could use hypercalls to...
Several access permission issues with IRQs for unprivileged guests
ISSUE DESCRIPTION Various IRQ related access control operations may not have the intended effect, thus potentially permitting a stub domain to grant its client domain access to an IRQ it doesn't have access to itself. IMPACT Malicious or buggy stub domains kernels can mount a denial of service...
XENMEM_exchange may overwrite hypervisor memory
ISSUE DESCRIPTION The handler for XENMEMexchange accesses guest memory without range checking the guest provided addresses, thus allowing these accesses to include the hypervisor reserved range. IMPACT A malicious guest administrator can cause Xen to crash. If the out of address space bounds acce...
blkif responses leak backend stack data
ISSUE DESCRIPTION The block interface response structure has some discontiguous fields. Certain backends populate the structure fields of an otherwise uninitialized instance of this structure on their stacks, leaking data through the internal or trailing padding field. IMPACT A malicious...
Hypervisor memory corruption due to x86 emulator flaw
ISSUE DESCRIPTION Instructions with register operands ignore eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override can, however, corrupt a pointer used subsequently to store the result of the instruction. IMPACT A malicious gues...
Missing privilege level checks in x86 emulation of far branches
ISSUE DESCRIPTION The emulation of far branch instructions CALL, JMP, and RETF in Intel assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax incompletely performs privilege checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when a memory...
IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues
ISSUE DESCRIPTION Certain PCI devices in a system might be assigned Reserved Memory Regions specified via Reserved Memory Region Reporting, "RMRR" for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose...
x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests
ISSUE DESCRIPTION 32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed, this area of the i386 architecture was rarely used, which is why Xen was able to use it to implement paravirtualisation, Xen's novel approach to virtualization. In AMD64, Xen had to use a different...
PCI passthrough code reading back hardware registers
ISSUE DESCRIPTION Code paths in Xen's MSI handling have been identified which act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for device...
ARM guests may induce host asynchronous abort
ISSUE DESCRIPTION Depending on how the hardware and firmware have been integrated, guest-triggered asynchronous aborts SError on ARMv8 may be received by the hypervisor. The current action is to crash the host. A guest might trigger an asynchronous abort when accessing memory mapped hardware in a...
x86 task switch to VM86 mode mis-handled
ISSUE DESCRIPTION LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. This was violated by the code. IMPACT On SVM AMD hardware: a malicious unprivileged guest process can escalate its...
arm: Host crash when preempting a multicall
ISSUE DESCRIPTION Early versions of Xen on ARM did not support "multicall" functionality the ability to perform multiple operations via a single hypercall and therefore stubbed out the functionality needed to support preemption of multicalls in a manner which crashed the host. When multicall...
Excessive checking in compatibility mode hypercall argument translation
ISSUE DESCRIPTION The hypercall argument translation needed for 32-bit guests running on 64-bit hypervisors performs checks on the final register state. These checks cover all registers potentially holding hypercall arguments, not just the ones actually doing so for the hypercall being processed,...
Vulnerabilities in HVM MSI injection
ISSUE DESCRIPTION The implementation of the HVM control operation HVMOPinjectmsi, while checking whether a particular IRQ was already set up in the necessary way, fails to properly check all respective conditions. In particular it doesn't check the returned pointer for being non-NULL before de-...
x86: Multiple speculative security issues
ISSUE DESCRIPTION 1 Researchers have discovered that on some AMD CPUs, the implementation of IBPB Indirect Branch Prediction Barrier does not behave according to the specification. Specifically, IBPB fails to properly flush the RAS Return Address Stack, also RSB - Return Stack Buffer - in Intel...
Bad continuation handling in GNTTABOP_copy
ISSUE DESCRIPTION Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 / XSA-226 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular the status fields...
qemu-dm buffer overrun in MSI-X handling
ISSUE DESCRIPTION "qemu-xen-traditional" aka qemu-dm tracks state for each MSI-X table entry of a passed through device. This is used/updated on intercepted accesses to the pages containing the MSI-X table. There may be space on the final page not covered by any MSI-X table entry, but memory for...
input handling vulnerabilities loading guest kernel on ARM
ISSUE DESCRIPTION When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM CVE-2014-3714. Furthermore when checking a 32-bit...
Xen PV DoS vulnerability with SYSENTER
ISSUE DESCRIPTION The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn't get cleared. If the hypervisor subsequently uses IRET to return to the guest which...
x86 pv: Insufficient care with non-coherent mappings
ISSUE DESCRIPTION Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's...
guest 32-bit ELF symbol table load leaking host data
ISSUE DESCRIPTION Along with their main kernel binary, unprivileged guests may arrange to have their Xen environment load kernel symbol tables for their use. The ELF image metadata created for this purpose has a few unused bytes when the symbol table binary is in 32-bit ELF format. These unused...
libxl fails to honour readonly flag on disks with qemu-xen
ISSUE DESCRIPTION Callers of libxl can specify that a disk should be read-only to the guest. However, there is no code in libxl to pass this information to qemu-xen the upstream-based qemu; and indeed there is no way in qemu to make a disk read-only. The vulnerability is exploitable only via...
Missing privilege level checks in x86 emulation of software interrupts
ISSUE DESCRIPTION The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when a memory operand implicit for the affected instructions lives in...