482 matches found
lock order inversion in transitive grant copy handling
ISSUE DESCRIPTION As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, b...
race in VT-d domain ID cleanup
ISSUE DESCRIPTION Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping...
HVM soft-reset crashes toolstack
ISSUE DESCRIPTION libxl requires all data structures passed across its public interface to be initialized before use and disposed of afterwards by calling a specific set of functions. Many internal data structures also require this initialize / dispose discipline, but not all of them. When the...
Xenstore: guests can crash xenstored via watchs
ISSUE DESCRIPTION When a Xenstore watch fires, the xenstore client which registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry which triggered the watch, and the tag which was specified when registering the watch. Any communication with xenstored ...
Information leak via power sidechannel
ISSUE DESCRIPTION Researchers have demonstrated using software power/energy monitoring interfaces to create covert channels, and infer the operations/data used by other contexts within the system. Access to these interfaces should be restricted to privileged software, but it was found that Xen...
possible memory corruption via failsafe callback
ISSUE DESCRIPTION Under certain special conditions Xen reports an exception resulting from returning to guest mode not via ordinary exception entry points, but via a so call failsafe callback. This callback, unlike exception handlers, takes 4 extra arguments on the stack the saved data selectors...
x86: 64bit PV guest breakout via pagetable use-after-mode-change
ISSUE DESCRIPTION 64-bit PV guests typically use separate root page tables for their kernel and user modes. Hypercalls are accessible to guest kernel context only, which certain hypercall handlers make assumptions on. The IRET hypercall replacing the identically name CPU instruction is used by...
leak of main per-domain vcpu pointer array
ISSUE DESCRIPTION A domain's primary array of vcpu pointers can be allocated by a toolstack exactly once in the lifetime of a domain via the XENDOMCTLmaxvcpus hypercall. This array is leaked on domain teardown. This memory leak could -- over time -- exhaust the host's memory. IMPACT A domain give...
Unmediated PCI command register access in qemu
ISSUE DESCRIPTION HVM guests are currently permitted to modify the memory and I/O decode bits in the PCI command register of devices passed through to them. Unless the device is an SR-IOV virtual function, after disabling one or both of these bits subsequent accesses to the MMIO or I/O port range...
qemu SCSI REPORT LUNS buffer overflow
ISSUE DESCRIPTION qemu contains a possible buffer overflow in the SCSI code that implements the REPORT LUNS command. The buffer can be overflowed by creating a SCSI controller with more than 256 attached devices such as disks and sending a REPORT LUNS command with a short transfer buffer less tha...
Information leaks through I/O instruction emulation
ISSUE DESCRIPTION Insufficient or missing error handling in certain routines dealing with guest memory reads can lead to uninitialized data on the hypervisor stack potentially containing sensitive data from prior work the hypervisor performed being copied to guest visible storage. This allows a...
Several long latency operations are not preemptible
ISSUE DESCRIPTION Page table manipulation operations for PV guests can take significant amounts of time, as they require all present branches to have their type and thus contents verified. While the most frequently used operations had been made preemptible in the past, some code paths involving...
Hypervisor crash due to incorrect ASSERT (debug build only)
ISSUE DESCRIPTION A change to an internal interface within the hypervisor invalidated an ASSERT in a caller of that API. This code path is exposed to PV guests via a hypercall allowing administrators of PV guests to crash the hypervisor if it is built with debugging enabled. IMPACT Malicious...
pci: phantom functions assigned to incorrect contexts
ISSUE DESCRIPTION PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions nee...
Guests can trigger NIC interface reset/abort/crash via netback
ISSUE DESCRIPTION It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an unwritten? assumption in the rest of the Linux network stack that packet protocol headers are all contained within th...
infinite loop when cleaning up IRQ vectors
ISSUE DESCRIPTION When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met when first checked, the checking CPU m...
x86: Race condition in Xen mapping code
ISSUE DESCRIPTION The Xen code handling the updating of the hypervisor's own pagetables tries to use 2MiB and 1GiB superpages as much as possible to maximize TLB efficiency. Some of the operations for checking and coalescing superpages take non-negligible amount of time; to avoid potential lock...
Race condition in HVMOP_track_dirty_vram
ISSUE DESCRIPTION The routine controlling the setup of dirty video RAM tracking latches the value of a pointer before taking the respective guarding lock, thus making it possible for a stale pointer to be used by the time the lock got acquired and the pointer gets dereferenced. The hypercall...
Linux netback crash trying to disable due to malformed packet
ISSUE DESCRIPTION When Linux's netback sees a malformed packet, it tries to disable the interface which serves the misbehaving frontend. This involves taking a mutex, which might sleep. But in recent versions of Linux the guest transmit path is handled by NAPI in softirq context, where sleeping i...
Out-of-memory condition yielding memory corruption during IRQ setup
ISSUE DESCRIPTION When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption. IMPACT Malicious guest administrators can...
x86/AMD: Debug Mask handling
ISSUE DESCRIPTION AMD CPUs since 2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1 CVE-2023-34327 - An HVM vCPU can end up operating in the...
oxenstored memory leak in reset_watches
ISSUE DESCRIPTION When acting upon a guest XSRESETWATCHES request, not all tracking information is freed. IMPACT A guest can cause unbounded memory usage in oxenstored. This can lead to a system-wide DoS. VULNERABLE SYSTEMS All version of Xen since 4.6 are vulnerable. Only systems using the Ocaml...
x86 pv: Crash when handling guest access to MSR_MISC_ENABLE
ISSUE DESCRIPTION When a guest accesses certain Model Specific Registers, Xen first reads the value from hardware to use as the basis for auditing the guest access. For the MISCENABLE MSR, which is an Intel specific MSR, this MSR read is performed without error handling for a GP fault, which is t...
race when migrating timers between x86 HVM vCPU-s
ISSUE DESCRIPTION When migrating timers of x86 HVM guests between its vCPU-s, the locking model used allows for a second vCPU of the same guest also operating on the timers to release a lock that it didn't acquire. IMPACT The most likely effect of the issue is a hang or crash of the hypervisor,...
QEMU: usb: out-of-bounds r/w access issue
ISSUE DESCRIPTION An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when 'USBDevice-setuplen' exceeds the USBDevice-databuf4096, in dotokenin,out routines. IMPACT A guest user may use this flaw to crash the QEM...
arm: a CPU may speculate past the ERET instruction
ISSUE DESCRIPTION Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by lower privilege level i.e guest kernel/userspace at the point of the ERET, this could...
Unsanitised driver domain input in libxl device handling
ISSUE DESCRIPTION libxl's device-handling code freely uses and trusts information from the backend directories in xenstore. The backend domain driver domain can store bogus data in the backend, causing libxl's enquiry functions to fail, confusing management tools. A driver domain can also remove...
arm: vgic: incorrect rate limiting of guest triggered logging
ISSUE DESCRIPTION On ARM systems the code which deals with virtualising the GIC distributor would, under various circumstances, log messages on a guest accessible code path without appropriate rate limiting. IMPACT A malicious guest could cause repeated logging to the hypervisor console, leading ...
Hardware features unintentionally exposed to guests on ARM
ISSUE DESCRIPTION When running on an ARM platform Xen was not correctly configuring the hardware virtualisation platform and therefore did not prevent guests from accessing various hardware features including cache control, coprocessors, debug registers and various processor specific registers...
Page reference counting error due to XSA-45/CVE-2013-1918 fixes
ISSUE DESCRIPTION The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke page reference counting by not retaining a reference on pages stored for deferred cleanup. This would lead to the hypervisor prematurely attempting to free the page, generally crashing upon finding the...
long running loops in grant table handling
ISSUE DESCRIPTION In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren't in use...
FIFO event channels control block related ordering
ISSUE DESCRIPTION Recording of the per-vCPU control block mapping maintained by Xen and that of pointers into the control block is reversed. The consumer assumes, seeing the former initialized, that the latter are also ready for use. IMPACT Malicious or buggy guest kernels can mount a Denial of...
races with evtchn_reset()
ISSUE DESCRIPTION Uses of EVTCHNOPreset potentially by a guest on itself or XENDOMCTLsoftreset by itself covered by XSA-77 can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. IMPACT In particular x86 PV guests may ...
x86 pv guest kernel DoS via SYSENTER
ISSUE DESCRIPTION The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a GP fault, and incorrectly delivers it twice to the guest. This causes the guest kernel to observe a kernel-privilege GP fault typically fatal rather than ...
arm: vgic: Out-of-bound access when sending SGIs
ISSUE DESCRIPTION ARM guests can send SGI i.e. IPI targeting a list of vCPUs using the MMIO register GICDSGIR GICv2 or System Register ICCSGI1R GICv3. However, the emulation code does not sanitize the list and will directly access an array without checking whether the array index is within bounds...
Races in the grant table unmap code
ISSUE DESCRIPTION We have discovered two bugs in the code unmapping grant references. When a grant had been mapped twice by a backend domain, and then unmapped by two concurrent unmap calls, the frontend may be informed that the page had no further mappings when the first call completed rather th...
x86 PV guests may be able to mask interrupts
ISSUE DESCRIPTION Certain PV guest kernel operations page table writes in particular need emulation, and use Xen's general x86 instruction emulator. This allows a malicious guest kernel which asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF from the state used to...
x86: inconsistent cachability flags on guest mappings
ISSUE DESCRIPTION Multiple mappings of the same physical page with different cachability setting can cause problems. While one category risk of using stale data affects only guests themselves and hence avoiding this can be left for them to control, the other category being Machine Check exception...
Excessive time to disable caching with HVM guests with PCI passthrough
ISSUE DESCRIPTION HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has bee...
Mishandling of guest SSBD selection on AMD hardware
ISSUE DESCRIPTION The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to...
grant table v2 status pages may remain accessible after de-allocation
ISSUE DESCRIPTION Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched back from v2 to v1. The freeing of such...
x86: Mishandling of SYSCALL singlestep during emulation
ISSUE DESCRIPTION The typical behaviour of singlestepping exceptions is determined at the start of the instruction, with a DB trap being raised at the end of the instruction. SYSCALL and SYSRET, although we don't implement it behave differently because the typical behaviour allows userspace to...
x86: Uncontrolled creation of large page mappings by PV guests
ISSUE DESCRIPTION The code to validate level 2 page table entries is bypassed when certain conditions are satisfied. This means that a PV guest can create writeable mappings using super page mappings. Such writeable mappings can violate Xen intended invariants for pages which Xen is supposed to...
Use after free in QEMU/Xen block unplug protocol
ISSUE DESCRIPTION When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer. IMPACT An HVM guest which has access to an emulated IDE disk device may be able to...
Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
ISSUE DESCRIPTION An error handling path in the processing of MMUMACHPHYSUPDATE failed to drop a page reference which was acquired in an earlier processing step. IMPACT Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack...
Linux: netback processing of zero-length transmit fragment
ISSUE DESCRIPTION Transmit requests in Xen's virtual network protocol can consist of multiple parts. While not really useful, except for the initial part any of them may be of zero length, i.e. carry no data at all. Besides a certain initial portion of the to be transferred data, these parts are...
Guests can cause Xenstore crash via soft reset
ISSUE DESCRIPTION When a guest issues a "Soft Reset" e.g. for performing a kexec the libxl based Xen toolstack will normally perform a XSRELEASE Xenstore operation. Due to a bug in xenstored this can result in a crash of xenstored. Any other use of XSRELEASE will have the same impact. IMPACT A...
out of bounds event channels available to 32-bit x86 domains
ISSUE DESCRIPTION The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm either bitness ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared between guest and Xen...
long running memory operations on ARM
ISSUE DESCRIPTION Certain HYPERVISORmemoryop subops take page order inputs, with so far insufficient enforcement of limits thereof. In particular, for all of XENMEMincreasereservation, XENMEMpopulatephysmap, and XENMEMexchange the order was limited to 9 only for guests without physical devices...
XENMEM_exchange error handling issues
ISSUE DESCRIPTION Error handling in the operation may involve handing back pages to the domain. This operation may fail when in parallel the domain gets torn down. So far this failure unconditionally resulted in the host being brought down due to an internal error being assumed. This is...