Lucene search
K
XenMost viewed

482 matches found

Xen Project
Xen Project
•added 2014/09/23 12:0 p.m.•68 views

Missing privilege level checks in x86 emulation of software interrupts

ISSUE DESCRIPTION The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when a memory operand implicit for the affected instructions lives in...

3.3CVSS4.9AI score0.00849EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2024/02/27 12:0 p.m.•67 views

x86: shadow stack vs exceptions from emulation stubs

ISSUE DESCRIPTION Recent x86 CPUs offer functionality named Control-flow Enforcement Technology CET. A sub-feature of this are Shadow Stacks CET-SS. CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and...

6.5CVSS7AI score0.00267EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/03/10 12:0 p.m.•67 views

Linux PV device frontends vulnerable to attacks by backends

ISSUE DESCRIPTION Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious...

7CVSS7.3AI score0.00351EPSS
Exploits0
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•67 views

Frontends can trigger OOM in Backends by update a watched path

ISSUE DESCRIPTION Some OSes such as Linux, FreeBSD, NetBSD are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbound, a guest may be able to trigger a OOM in the backend. IMPACT A malicious...

6.5CVSS0.8AI score0.00348EPSS
Exploits0
Xen Project
Xen Project
•added 2020/09/22 12:0 p.m.•67 views

once valid event channels may not turn invalid

ISSUE DESCRIPTION Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determini...

6.5CVSS0.5AI score0.00358EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/07/27 3:0 p.m.•67 views

virtio: unbounded memory allocation issue

ISSUE DESCRIPTION A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is incorrect but possible. Processing a request allocates a VirtQueueElement and...

5.5CVSS0.5AI score0.0052EPSS
Exploits0
Xen Project
Xen Project
•added 2015/10/29 11:59 a.m.•67 views

x86: populate-on-demand balloon size inaccuracy can crash guests

ISSUE DESCRIPTION The design of the memory populate-on-demand PoD system requires that a guest's memory ballooning driver reach its memory reduction target. The target is not entirely well-defined in terms of the information visible to the appropriate parts of the system, so some unknown set of...

2.1CVSS7.3AI score0.00426EPSS
Exploits0
Xen Project
Xen Project
•added 2015/04/20 5:10 p.m.•67 views

Information leak through XEN_DOMCTL_gettscinfo

ISSUE DESCRIPTION The handler for XENDOMCTLgettscinfo failed to initialize a padding field subsequently copied to guest memory. A similar bug existed in XENSYSCTLgetdomaininfolist, which is addressed by the patches provided here even though that operation was declared by XSA-77 not to provide...

2.9CVSS9AI score0.00793EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/05/02 12:0 p.m.•67 views

VT-d interrupt remapping source validation flaw for bridges

ISSUE DESCRIPTION Interrupt remapping table entries for MSI interrupts set up by bridge devices did not get any source validation set up on them, allowing misbehaving or malicious guests to inject interrupts into the domain owning the bridges. In a typical Xen system bridge devices are owned by...

1.9CVSS2.5AI score0.00421EPSS
Exploits0
Xen Project
Xen Project
•added 2020/10/20 12:0 p.m.•66 views

Rogue guests can cause DoS of Dom0 via high frequency events

ISSUE DESCRIPTION The handling of Xen events in the Linux kernel runs with interrupts disabled in a loop until no further event is pending. Whenever an event has been accepted by the kernel, another event can come in via the same event channel. This can result in the event handling loop running f...

5.5CVSS1.6AI score0.0041EPSS
Exploits0
Xen Project
Xen Project
•added 2020/09/22 12:0 p.m.•66 views

Missing unlock in XENMEM_acquire_resource error path

ISSUE DESCRIPTION The RCU Read, Copy, Update mechanism is a synchronisation primitive. A buggy error path in the XENMEMacquireresource exits without releasing an RCU reference, which is conceptually similar to forgetting to unlock a spinlock. IMPACT A buggy or malicious HVM stubdomain can cause a...

5.5CVSS0.2AI score0.00416EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/03/10 5:2 p.m.•66 views

Load Value Injection (LVI) speculative side channel

ISSUE DESCRIPTION This is very closely related to the Microarchitectural Data Sampling vulnerabilities from May 2019. Please see https://xenbits.xen.org/xsa/advisory-297.html for details about MDS. A new way of using the micro-architectural details behind MDS has been identified. Instead of simpl...

5.6CVSS2.3AI score0.0104EPSS
Exploits1
Xen Project
Xen Project
•added 2016/04/18 12:0 p.m.•66 views

x86 shadow pagetables: address width overflow

ISSUE DESCRIPTION In the x86 shadow pagetable code, the guest frame number of a superpage mapping is stored in a 32-bit field. If a shadowed guest can cause a superpage mapping of a guest-physical address at or above 2^44 to be shadowed, the top bits of the address will be lost, causing an...

8.8CVSS8.7AI score0.00455EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/02/12 12:0 p.m.•66 views

arm: vgic-v2: GICD_SGIR is not properly emulated

ISSUE DESCRIPTION When decoding a guest write to a specific register in the virtual interrupt controller Xen would treat an invalid value as a critical error and crash the host. IMPACT By writing an invalid value to the GICD.SGIR register a guest can crash the host, resulting in a Denial of Servi...

4.9CVSS8.3AI score0.00415EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/04/23 1:5 p.m.•66 views

ARM hypervisor crash on guest interrupt controller access

ISSUE DESCRIPTION When handling a guest access to the virtual GIC distributor interrupt controller Xen could dereference a pointer before checking it for validity leading to a hypervisor crash and host Denial of Service. IMPACT A buggy or malicious guest can crash the host. VULNERABLE SYSTEMS Bot...

5.5CVSS6.2AI score0.00639EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2012/12/03 5:51 p.m.•66 views

Grant table version switch list corruption vulnerability

ISSUE DESCRIPTION Downgrading the grant table version of a guest involves freeing its status pages. This freeing was incomplete - the pages are freed back to the allocator, but not removed from the domain's tracking list. This would cause list corruption, eventually leading to a hypervisor crash...

4.7CVSS2.6AI score0.00417EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/12/20 12:0 p.m.•65 views

Rogue backends can cause DoS of guests via high frequency events

ISSUE DESCRIPTION Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the...

6.5CVSS1.6AI score0.00332EPSS
Exploits0
Xen Project
Xen Project
•added 2021/02/16 12:0 p.m.•65 views

Linux: display frontend "be-alloc" mode is unsupported

ISSUE DESCRIPTION The backend allocation mode of Linux'es drmxenfront drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry. IMPACT Use of the feature may have unknown effects. VULNERABLE SYSTEMS Linux versions from 4.18 onwards are...

7.8CVSS3.7AI score0.00346EPSS
Exploits0
Xen Project
Xen Project
•added 2020/06/09 5:0 p.m.•65 views

Special Register Buffer speculative side channel

ISSUE DESCRIPTION This issue is related to the MDS and TAA vulnerabilities. Please see https://xenbits.xen.org/xsa/advisory-297.html MDS and https://xenbits.xen.org/xsa/advisory-305.html TAA for details. Certain processor operations microarchitecturally need to read data from outside the physical...

5.5CVSS1AI score0.0054EPSS
Exploits0
Xen Project
Xen Project
•added 2016/11/22 12:0 p.m.•65 views

x86 null segments not always treated as unusable

ISSUE DESCRIPTION The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses. The intended behaviour is as follows: The user data segment %ds, %es, %fs and %gs selectors may be NULL in 32-bit to prevent access. In 64-bit, NULL has a special...

7.8CVSS0.6AI score0.00446EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/07/26 12:0 p.m.•65 views

x86: Privilege escalation in PV guests

ISSUE DESCRIPTION The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases e.g. clearing only Access/Dirty bits. The bits considered safe were too broad, and not actually safe. IMPACT A malicous PV guest administrator...

8.8CVSS1AI score0.004EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/10/01 12:0 p.m.•65 views

Improper MSR range used for x2APIC emulation

ISSUE DESCRIPTION The MSR range specified for APIC use in the x2APIC access model spans 256 MSRs. Hypervisor code emulating read and write accesses to these MSRs erroneously covered 1024 MSRs. While the write emulation path is written such that accesses to the extra MSRs would not have any bad...

8.3CVSS7.3AI score0.00858EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/09/09 12:30 p.m.•65 views

Mishandling of uninitialised FIFO-based event channel control blocks

ISSUE DESCRIPTION When using the FIFO-based event channels, there are no checks for the existence of a control block when binding an event or moving it to a different VCPU. This is because events may be bound when the ABI is in 2-level mode e.g., by the toolstack before the domain is started. The...

4.9CVSS6.2AI score0.00415EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/02/05 12:0 p.m.•65 views

oxenstored incorrect handling of certain Xenbus ring states

ISSUE DESCRIPTION The oxenstored daemon the ocaml version of the xenstore daemon does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause oxenstored to read past the end of the ring and very likely crash or to allocate large amounts...

4.3CVSS1.2AI score0.0059EPSS
Exploits0
Xen Project
Xen Project
•added 2023/10/10 12:0 p.m.•64 views

Possible deadlock in Linux kernel event handling

ISSUE DESCRIPTION Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g...

4.9CVSS6.4AI score0.00888EPSS
Exploits0
Xen Project
Xen Project
•added 2023/02/14 6:3 p.m.•64 views

x86: Cross-Thread Return Address Predictions

ISSUE DESCRIPTION It has been discovered that on some AMD CPUs, the RAS Return Address Stack, also called RAP - Return Address Predictor - in some AMD documentation, and RSB - Return Stack Buffer - in Intel terminology is dynamically partitioned between non-idle threads. This allows an attacker t...

4.7CVSS6.6AI score0.00289EPSS
Exploits0
Xen Project
Xen Project
•added 2021/01/21 2:10 p.m.•64 views

IRQ vector leak on x86

ISSUE DESCRIPTION An x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors used by the MSI-X entries that the guest might had enabled, a...

5.5CVSS1.8AI score0.00417EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2017/04/04 12:0 p.m.•64 views

x86: broken check in memory_exchange() permits PV guest breakout

ISSUE DESCRIPTION The XSA-29 fix introduced an insufficient check on XENMEMexchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays. IMPACT A malicious or buggy 64-bit PV guest may be able to access all of system memory, allowing fo...

8.2CVSS1.3AI score0.01569EPSS
Exploits2Affected Software1
Xen Project
Xen Project
•added 2016/12/21 12:0 p.m.•64 views

x86: missing NULL pointer check in VMFUNC emulation

ISSUE DESCRIPTION When support for the Intel VMX VMFUNC leaf 0 was added, a new optional function pointer hvmemulvmfunc was added to the hvmemulateops table. As is intended, that new function pointer is NULL on non-VMX hardware, including AMD SVM hardware. However at a call site, the necessary NU...

5.5CVSS0.8AI score0.00451EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/11/22 12:0 p.m.•64 views

delimiter injection vulnerabilities in pygrub

ISSUE DESCRIPTION pygrub, the boot loader emulator, fails to quote or sanity check its results when reporting them to its caller. pygrub supports a number of output formats. When the S-expression output format is requested, putting string quotes and S-expressions in the bootloader configuration...

7.9CVSS7.5AI score0.00437EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/05/17 12:0 p.m.•64 views

x86 software guest page walk PS bit handling flaw

ISSUE DESCRIPTION The Page Size PS page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 depending on hardware capabilities. The software page table walker in the hypervisor, however, so far ignored that bit in L...

8.4CVSS0.5AI score0.00542EPSS
Exploits0
Xen Project
Xen Project
•added 2013/09/30 10:4 a.m.•64 views

Information leak through fbld instruction emulation

ISSUE DESCRIPTION The emulation of the fbld instruction which is used during I/O emulation uses the wrong variable for the source effective address. As a result, the actual address used is an uninitialised bit pattern from the stack. A malicious guest might be able to find out information about t...

2.1CVSS0.4AI score0.00395EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/09/24 12:0 p.m.•64 views

Information leak on AVX and/or LWP capable CPUs

ISSUE DESCRIPTION When a guest increases the set of extended state components for a vCPU saved/ restored via XSAVE/XRSTOR to date this can only be the upper halves of YMM registers, or AMD's LWP state after already having touched other extended registers restored via XRSTOR e.g. floating point or...

1.2CVSS0.8AI score0.00373EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/07/05 12:0 p.m.•63 views

Linux disk/nic frontends data leaks

ISSUE DESCRIPTION Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend CVE-2022-26365, CVE-2022-33740. Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K...

7.1CVSS2AI score0.00325EPSS
Exploits0
Xen Project
Xen Project
•added 2020/10/20 12:0 p.m.•62 views

Race condition in Linux event handler may crash dom0

ISSUE DESCRIPTION The Linux kernel event channel handling code doesn't defend the handling of an event against the same event channel being removed in parallel. This can result in accesses to already freed memory areas or NULL pointer dereferences in the event handling code, leading to misbehavio...

4.7CVSS0.7AI score0.00265EPSS
Exploits0
Xen Project
Xen Project
•added 2013/08/20 12:0 p.m.•62 views

Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts

ISSUE DESCRIPTION Message Signaled Interrupts MSI interrupts on Intel platforms are defined as DWORD writes to a special address location 0xFEE?????. MSIs on Intel Platforms supporting VT-d have two defined formats - Remappable format interrupts, and Compatibility not remappable format interrupts...

4.7CVSS6.5AI score0.00389EPSS
Exploits0
Xen Project
Xen Project
•added 2013/06/03 12:0 p.m.•62 views

Hypervisor crash due to missing exception recovery on XSETBV

ISSUE DESCRIPTION Processors do certain validity checks on the register values passed to XSETBV. For the PV emulation path for that instruction the hypervisor code didn't check for certain invalid bit combinations, thus exposing itself to a fault occurring when invoking that instruction on behalf...

4.7CVSS2AI score0.00371EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/02/05 12:0 p.m.•62 views

interrupt remap entries shared and old ones not cleared on AMD IOMMUs

ISSUE DESCRIPTION To avoid an erratum in early hardware, the Xen AMD IOMMU code by default chooses to use a single interrupt remapping table for the whole system. This sharing implies that any guest with a passed through PCI device that is bus mastering capable can inject interrupts into other...

4.7CVSS0.6AI score0.00411EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2023/10/10 12:0 p.m.•61 views

xenstored: A transaction conflict can crash C Xenstored

ISSUE DESCRIPTION When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstor...

5.5CVSS6.8AI score0.00256EPSS
Exploits0
Xen Project
Xen Project
•added 2023/08/01 2:44 p.m.•61 views

arm: Guests can trigger a deadlock on Cortex-A77

ISSUE DESCRIPTION Cortex-A77 cores r0p0 and r1p0 are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Regist...

5.5CVSS6.4AI score0.00218EPSS
Exploits0
Xen Project
Xen Project
•added 2021/02/16 12:0 p.m.•61 views

arm: The cache may not be cleaned for newly allocated scrubbed pages

ISSUE DESCRIPTION On Arm, a guest is allowed to control whether memory access bypass the cache. This means that Xen needs to ensure that all writes such as the ones during scrubbing have reached memory before handing over the page to a guest. Unfortunately the operation to clean the cache happens...

5.5CVSS0.5AI score0.00327EPSS
Exploits0
Xen Project
Xen Project
•added 2020/07/07 12:0 p.m.•61 views

insufficient cache write-back under VT-d

ISSUE DESCRIPTION When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs CPU cached also needs writing back to memory after changes were made. Such writing back of cached dat...

8.8CVSS0.00364EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•61 views

grant table operations mishandle reference counts

ISSUE DESCRIPTION We have discovered a number of bugs in the code mapping and unmapping grant references. If a grant is mapped with both the GNTMAPdevicemap and GNTMAPhostmap flags, but unmapped only with hostmap, the devicemap portion remains but the page reference counts are lowered as though i...

10CVSS0.5AI score0.02549EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/08/03 12:0 p.m.•61 views

QEMU leak of uninitialized heap memory in rtl8139 device model

ISSUE DESCRIPTION The QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation. This results in uninitialised memory from the QEMU process's heap being leaked to the domain as well as to the network. IMPACT A guest may be able to read sensitive...

9.3CVSS6.7AI score0.13288EPSS
Exploits0
Xen Project
Xen Project
•added 2015/06/02 12:0 p.m.•61 views

Potential unintended writes to host MSI message data field via qemu

ISSUE DESCRIPTION Logic is in place to avoid writes to certain host config space fields when the guest must nevertheless be able to access their virtual counterparts. A bug in how this logic deals with accesses spanning multiple fields allows the guest to write to the host MSI message data field...

4.9CVSS8.1AI score0.0045EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/11/01 3:7 p.m.•61 views

Lock order reversal between page allocation and grant table locks

ISSUE DESCRIPTION The locks pagealloclock and granttable.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS Xen versions going back to at least Xen 3.2 are vulnerable. ...

5.2CVSS2.5AI score0.0067EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/10/10 12:0 p.m.•61 views

Information leak through outs instruction emulation

ISSUE DESCRIPTION The emulation of the outs instruction for 64-bit PV guests uses an uninitialized variable as the segment base for the source data if an FS: or GS: segment override is used, and if the segment descriptor the respective non-null selector in the corresponding selector register poin...

1.9CVSS0.8AI score0.00367EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2023/11/14 12:0 p.m.•60 views

x86/AMD: mismatch in IOMMU quarantine page table levels

ISSUE DESCRIPTION The current setup of the quarantine page tables assumes that the quarantine domain domio has been initialized with an address width of DEFAULTDOMAINADDRESSWIDTH 48 and hence 4 page table levels. However domio being a PV domain gets the AMD-Vi IOMMU page tables levels based on th...

5.5CVSS6.9AI score0.00284EPSS
Exploits0
Xen Project
Xen Project
•added 2022/10/11 12:0 p.m.•60 views

lock order inversion in transitive grant copy handling

ISSUE DESCRIPTION As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, b...

5.6CVSS0.8AI score0.00247EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/04/05 12:0 p.m.•60 views

race in VT-d domain ID cleanup

ISSUE DESCRIPTION Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping...

7CVSS0.6AI score0.00248EPSS
Exploits0Affected Software1
Total number of security vulnerabilities482