482 matches found
Missing privilege level checks in x86 emulation of software interrupts
ISSUE DESCRIPTION The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when a memory operand implicit for the affected instructions lives in...
x86: shadow stack vs exceptions from emulation stubs
ISSUE DESCRIPTION Recent x86 CPUs offer functionality named Control-flow Enforcement Technology CET. A sub-feature of this are Shadow Stacks CET-SS. CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and...
Linux PV device frontends vulnerable to attacks by backends
ISSUE DESCRIPTION Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious...
Frontends can trigger OOM in Backends by update a watched path
ISSUE DESCRIPTION Some OSes such as Linux, FreeBSD, NetBSD are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbound, a guest may be able to trigger a OOM in the backend. IMPACT A malicious...
once valid event channels may not turn invalid
ISSUE DESCRIPTION Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determini...
virtio: unbounded memory allocation issue
ISSUE DESCRIPTION A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is incorrect but possible. Processing a request allocates a VirtQueueElement and...
x86: populate-on-demand balloon size inaccuracy can crash guests
ISSUE DESCRIPTION The design of the memory populate-on-demand PoD system requires that a guest's memory ballooning driver reach its memory reduction target. The target is not entirely well-defined in terms of the information visible to the appropriate parts of the system, so some unknown set of...
Information leak through XEN_DOMCTL_gettscinfo
ISSUE DESCRIPTION The handler for XENDOMCTLgettscinfo failed to initialize a padding field subsequently copied to guest memory. A similar bug existed in XENSYSCTLgetdomaininfolist, which is addressed by the patches provided here even though that operation was declared by XSA-77 not to provide...
VT-d interrupt remapping source validation flaw for bridges
ISSUE DESCRIPTION Interrupt remapping table entries for MSI interrupts set up by bridge devices did not get any source validation set up on them, allowing misbehaving or malicious guests to inject interrupts into the domain owning the bridges. In a typical Xen system bridge devices are owned by...
Rogue guests can cause DoS of Dom0 via high frequency events
ISSUE DESCRIPTION The handling of Xen events in the Linux kernel runs with interrupts disabled in a loop until no further event is pending. Whenever an event has been accepted by the kernel, another event can come in via the same event channel. This can result in the event handling loop running f...
Missing unlock in XENMEM_acquire_resource error path
ISSUE DESCRIPTION The RCU Read, Copy, Update mechanism is a synchronisation primitive. A buggy error path in the XENMEMacquireresource exits without releasing an RCU reference, which is conceptually similar to forgetting to unlock a spinlock. IMPACT A buggy or malicious HVM stubdomain can cause a...
Load Value Injection (LVI) speculative side channel
ISSUE DESCRIPTION This is very closely related to the Microarchitectural Data Sampling vulnerabilities from May 2019. Please see https://xenbits.xen.org/xsa/advisory-297.html for details about MDS. A new way of using the micro-architectural details behind MDS has been identified. Instead of simpl...
x86 shadow pagetables: address width overflow
ISSUE DESCRIPTION In the x86 shadow pagetable code, the guest frame number of a superpage mapping is stored in a 32-bit field. If a shadowed guest can cause a superpage mapping of a guest-physical address at or above 2^44 to be shadowed, the top bits of the address will be lost, causing an...
arm: vgic-v2: GICD_SGIR is not properly emulated
ISSUE DESCRIPTION When decoding a guest write to a specific register in the virtual interrupt controller Xen would treat an invalid value as a critical error and crash the host. IMPACT By writing an invalid value to the GICD.SGIR register a guest can crash the host, resulting in a Denial of Servi...
ARM hypervisor crash on guest interrupt controller access
ISSUE DESCRIPTION When handling a guest access to the virtual GIC distributor interrupt controller Xen could dereference a pointer before checking it for validity leading to a hypervisor crash and host Denial of Service. IMPACT A buggy or malicious guest can crash the host. VULNERABLE SYSTEMS Bot...
Grant table version switch list corruption vulnerability
ISSUE DESCRIPTION Downgrading the grant table version of a guest involves freeing its status pages. This freeing was incomplete - the pages are freed back to the allocator, but not removed from the domain's tracking list. This would cause list corruption, eventually leading to a hypervisor crash...
Rogue backends can cause DoS of guests via high frequency events
ISSUE DESCRIPTION Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the...
Linux: display frontend "be-alloc" mode is unsupported
ISSUE DESCRIPTION The backend allocation mode of Linux'es drmxenfront drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry. IMPACT Use of the feature may have unknown effects. VULNERABLE SYSTEMS Linux versions from 4.18 onwards are...
Special Register Buffer speculative side channel
ISSUE DESCRIPTION This issue is related to the MDS and TAA vulnerabilities. Please see https://xenbits.xen.org/xsa/advisory-297.html MDS and https://xenbits.xen.org/xsa/advisory-305.html TAA for details. Certain processor operations microarchitecturally need to read data from outside the physical...
x86 null segments not always treated as unusable
ISSUE DESCRIPTION The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses. The intended behaviour is as follows: The user data segment %ds, %es, %fs and %gs selectors may be NULL in 32-bit to prevent access. In 64-bit, NULL has a special...
x86: Privilege escalation in PV guests
ISSUE DESCRIPTION The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases e.g. clearing only Access/Dirty bits. The bits considered safe were too broad, and not actually safe. IMPACT A malicous PV guest administrator...
Improper MSR range used for x2APIC emulation
ISSUE DESCRIPTION The MSR range specified for APIC use in the x2APIC access model spans 256 MSRs. Hypervisor code emulating read and write accesses to these MSRs erroneously covered 1024 MSRs. While the write emulation path is written such that accesses to the extra MSRs would not have any bad...
Mishandling of uninitialised FIFO-based event channel control blocks
ISSUE DESCRIPTION When using the FIFO-based event channels, there are no checks for the existence of a control block when binding an event or moving it to a different VCPU. This is because events may be bound when the ABI is in 2-level mode e.g., by the toolstack before the domain is started. The...
oxenstored incorrect handling of certain Xenbus ring states
ISSUE DESCRIPTION The oxenstored daemon the ocaml version of the xenstore daemon does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause oxenstored to read past the end of the ring and very likely crash or to allocate large amounts...
Possible deadlock in Linux kernel event handling
ISSUE DESCRIPTION Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g...
x86: Cross-Thread Return Address Predictions
ISSUE DESCRIPTION It has been discovered that on some AMD CPUs, the RAS Return Address Stack, also called RAP - Return Address Predictor - in some AMD documentation, and RSB - Return Stack Buffer - in Intel terminology is dynamically partitioned between non-idle threads. This allows an attacker t...
IRQ vector leak on x86
ISSUE DESCRIPTION An x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors used by the MSI-X entries that the guest might had enabled, a...
x86: broken check in memory_exchange() permits PV guest breakout
ISSUE DESCRIPTION The XSA-29 fix introduced an insufficient check on XENMEMexchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays. IMPACT A malicious or buggy 64-bit PV guest may be able to access all of system memory, allowing fo...
x86: missing NULL pointer check in VMFUNC emulation
ISSUE DESCRIPTION When support for the Intel VMX VMFUNC leaf 0 was added, a new optional function pointer hvmemulvmfunc was added to the hvmemulateops table. As is intended, that new function pointer is NULL on non-VMX hardware, including AMD SVM hardware. However at a call site, the necessary NU...
delimiter injection vulnerabilities in pygrub
ISSUE DESCRIPTION pygrub, the boot loader emulator, fails to quote or sanity check its results when reporting them to its caller. pygrub supports a number of output formats. When the S-expression output format is requested, putting string quotes and S-expressions in the bootloader configuration...
x86 software guest page walk PS bit handling flaw
ISSUE DESCRIPTION The Page Size PS page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 depending on hardware capabilities. The software page table walker in the hypervisor, however, so far ignored that bit in L...
Information leak through fbld instruction emulation
ISSUE DESCRIPTION The emulation of the fbld instruction which is used during I/O emulation uses the wrong variable for the source effective address. As a result, the actual address used is an uninitialised bit pattern from the stack. A malicious guest might be able to find out information about t...
Information leak on AVX and/or LWP capable CPUs
ISSUE DESCRIPTION When a guest increases the set of extended state components for a vCPU saved/ restored via XSAVE/XRSTOR to date this can only be the upper halves of YMM registers, or AMD's LWP state after already having touched other extended registers restored via XRSTOR e.g. floating point or...
Linux disk/nic frontends data leaks
ISSUE DESCRIPTION Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend CVE-2022-26365, CVE-2022-33740. Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K...
Race condition in Linux event handler may crash dom0
ISSUE DESCRIPTION The Linux kernel event channel handling code doesn't defend the handling of an event against the same event channel being removed in parallel. This can result in accesses to already freed memory areas or NULL pointer dereferences in the event handling code, leading to misbehavio...
Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts
ISSUE DESCRIPTION Message Signaled Interrupts MSI interrupts on Intel platforms are defined as DWORD writes to a special address location 0xFEE?????. MSIs on Intel Platforms supporting VT-d have two defined formats - Remappable format interrupts, and Compatibility not remappable format interrupts...
Hypervisor crash due to missing exception recovery on XSETBV
ISSUE DESCRIPTION Processors do certain validity checks on the register values passed to XSETBV. For the PV emulation path for that instruction the hypervisor code didn't check for certain invalid bit combinations, thus exposing itself to a fault occurring when invoking that instruction on behalf...
interrupt remap entries shared and old ones not cleared on AMD IOMMUs
ISSUE DESCRIPTION To avoid an erratum in early hardware, the Xen AMD IOMMU code by default chooses to use a single interrupt remapping table for the whole system. This sharing implies that any guest with a passed through PCI device that is bus mastering capable can inject interrupts into other...
xenstored: A transaction conflict can crash C Xenstored
ISSUE DESCRIPTION When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstor...
arm: Guests can trigger a deadlock on Cortex-A77
ISSUE DESCRIPTION Cortex-A77 cores r0p0 and r1p0 are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Regist...
arm: The cache may not be cleaned for newly allocated scrubbed pages
ISSUE DESCRIPTION On Arm, a guest is allowed to control whether memory access bypass the cache. This means that Xen needs to ensure that all writes such as the ones during scrubbing have reached memory before handing over the page to a guest. Unfortunately the operation to clean the cache happens...
insufficient cache write-back under VT-d
ISSUE DESCRIPTION When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs CPU cached also needs writing back to memory after changes were made. Such writing back of cached dat...
grant table operations mishandle reference counts
ISSUE DESCRIPTION We have discovered a number of bugs in the code mapping and unmapping grant references. If a grant is mapped with both the GNTMAPdevicemap and GNTMAPhostmap flags, but unmapped only with hostmap, the devicemap portion remains but the page reference counts are lowered as though i...
QEMU leak of uninitialized heap memory in rtl8139 device model
ISSUE DESCRIPTION The QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation. This results in uninitialised memory from the QEMU process's heap being leaked to the domain as well as to the network. IMPACT A guest may be able to read sensitive...
Potential unintended writes to host MSI message data field via qemu
ISSUE DESCRIPTION Logic is in place to avoid writes to certain host config space fields when the guest must nevertheless be able to access their virtual counterparts. A bug in how this logic deals with accesses spanning multiple fields allows the guest to write to the host MSI message data field...
Lock order reversal between page allocation and grant table locks
ISSUE DESCRIPTION The locks pagealloclock and granttable.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS Xen versions going back to at least Xen 3.2 are vulnerable. ...
Information leak through outs instruction emulation
ISSUE DESCRIPTION The emulation of the outs instruction for 64-bit PV guests uses an uninitialized variable as the segment base for the source data if an FS: or GS: segment override is used, and if the segment descriptor the respective non-null selector in the corresponding selector register poin...
x86/AMD: mismatch in IOMMU quarantine page table levels
ISSUE DESCRIPTION The current setup of the quarantine page tables assumes that the quarantine domain domio has been initialized with an address width of DEFAULTDOMAINADDRESSWIDTH 48 and hence 4 page table levels. However domio being a PV domain gets the AMD-Vi IOMMU page tables levels based on th...
lock order inversion in transitive grant copy handling
ISSUE DESCRIPTION As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, b...
race in VT-d domain ID cleanup
ISSUE DESCRIPTION Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping...