Lucene search
K
XenMost viewed

482 matches found

Xen Project
Xen Project
•added 2022/10/11 12:0 p.m.•60 views

lock order inversion in transitive grant copy handling

ISSUE DESCRIPTION As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, b...

5.6CVSS0.8AI score0.00247EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/04/05 12:0 p.m.•60 views

race in VT-d domain ID cleanup

ISSUE DESCRIPTION Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping...

7CVSS0.6AI score0.00248EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/03/18 12:0 p.m.•60 views

HVM soft-reset crashes toolstack

ISSUE DESCRIPTION libxl requires all data structures passed across its public interface to be initialized before use and disposed of afterwards by calling a specific set of functions. Many internal data structures also require this initialize / dispose discipline, but not all of them. When the...

5.5CVSS1.2AI score0.00314EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•60 views

Xenstore: guests can crash xenstored via watchs

ISSUE DESCRIPTION When a Xenstore watch fires, the xenstore client which registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry which triggered the watch, and the tag which was specified when registering the watch. Any communication with xenstored ...

6CVSS1AI score0.00385EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/11/10 6:1 p.m.•60 views

Information leak via power sidechannel

ISSUE DESCRIPTION Researchers have demonstrated using software power/energy monitoring interfaces to create covert channels, and infer the operations/data used by other contexts within the system. Access to these interfaces should be restricted to privileged software, but it was found that Xen...

4.4CVSS1.5AI score0.00393EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2017/05/02 12:0 p.m.•60 views

possible memory corruption via failsafe callback

ISSUE DESCRIPTION Under certain special conditions Xen reports an exception resulting from returning to guest mode not via ordinary exception entry points, but via a so call failsafe callback. This callback, unlike exception handlers, takes 4 extra arguments on the stack the saved data selectors...

8.8CVSS1.7AI score0.00421EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2017/05/02 12:0 p.m.•60 views

x86: 64bit PV guest breakout via pagetable use-after-mode-change

ISSUE DESCRIPTION 64-bit PV guests typically use separate root page tables for their kernel and user modes. Hypercalls are accessible to guest kernel context only, which certain hypercall handlers make assumptions on. The IRET hypercall replacing the identically name CPU instruction is used by...

8.8CVSS6.7AI score0.0049EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/10/29 11:59 a.m.•60 views

leak of main per-domain vcpu pointer array

ISSUE DESCRIPTION A domain's primary array of vcpu pointers can be allocated by a toolstack exactly once in the lifetime of a domain via the XENDOMCTLmaxvcpus hypercall. This array is leaked on domain teardown. This memory leak could -- over time -- exhaust the host's memory. IMPACT A domain give...

4.9CVSS7AI score0.00436EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/03/31 12:0 p.m.•60 views

Unmediated PCI command register access in qemu

ISSUE DESCRIPTION HVM guests are currently permitted to modify the memory and I/O decode bits in the PCI command register of devices passed through to them. Unless the device is an SR-IOV virtual function, after disabling one or both of these bits subsequent accesses to the MMIO or I/O port range...

4.9CVSS6.7AI score0.0045EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/10/02 3:0 p.m.•60 views

qemu SCSI REPORT LUNS buffer overflow

ISSUE DESCRIPTION qemu contains a possible buffer overflow in the SCSI code that implements the REPORT LUNS command. The buffer can be overflowed by creating a SCSI controller with more than 256 attached devices such as disks and sending a REPORT LUNS command with a short transfer buffer less tha...

7.2CVSS2.4AI score0.00434EPSS
Exploits0
Xen Project
Xen Project
•added 2013/09/30 10:4 a.m.•60 views

Information leaks through I/O instruction emulation

ISSUE DESCRIPTION Insufficient or missing error handling in certain routines dealing with guest memory reads can lead to uninitialized data on the hypervisor stack potentially containing sensitive data from prior work the hypervisor performed being copied to guest visible storage. This allows a...

1.5CVSS1.3AI score0.0031EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/05/02 12:0 p.m.•60 views

Several long latency operations are not preemptible

ISSUE DESCRIPTION Page table manipulation operations for PV guests can take significant amounts of time, as they require all present branches to have their type and thus contents verified. While the most frequently used operations had been made preemptible in the past, some code paths involving...

4.7CVSS3.2AI score0.00363EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/01/04 4:0 p.m.•60 views

Hypervisor crash due to incorrect ASSERT (debug build only)

ISSUE DESCRIPTION A change to an internal interface within the hypervisor invalidated an ASSERT in a caller of that API. This code path is exposed to PV guests via a hypercall allowing administrators of PV guests to crash the hypervisor if it is built with debugging enabled. IMPACT Malicious...

1.9CVSS1.9AI score0.00372EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2024/01/30 12:0 p.m.•59 views

pci: phantom functions assigned to incorrect contexts

ISSUE DESCRIPTION PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions nee...

5.3CVSS7AI score0.00805EPSS
Exploits0
Xen Project
Xen Project
•added 2022/12/06 3:17 p.m.•59 views

Guests can trigger NIC interface reset/abort/crash via netback

ISSUE DESCRIPTION It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an unwritten? assumption in the rest of the Linux network stack that packet protocol headers are all contained within th...

6.5CVSS1.1AI score0.00463EPSS
Exploits0
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•59 views

infinite loop when cleaning up IRQ vectors

ISSUE DESCRIPTION When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met when first checked, the checking CPU m...

6.2CVSS2.2AI score0.0036EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/10/20 12:0 p.m.•59 views

x86: Race condition in Xen mapping code

ISSUE DESCRIPTION The Xen code handling the updating of the hypervisor's own pagetables tries to use 2MiB and 1GiB superpages as much as possible to maximize TLB efficiency. Some of the operations for checking and coalescing superpages take non-negligible amount of time; to avoid potential lock...

7CVSS1.3AI score0.0026EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/09/23 12:0 p.m.•59 views

Race condition in HVMOP_track_dirty_vram

ISSUE DESCRIPTION The routine controlling the setup of dirty video RAM tracking latches the value of a pointer before taking the respective guarding lock, thus making it possible for a stale pointer to be used by the time the lock got acquired and the pointer gets dereferenced. The hypercall...

6.1CVSS6.2AI score0.00743EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/03/24 1:0 p.m.•59 views

Linux netback crash trying to disable due to malformed packet

ISSUE DESCRIPTION When Linux's netback sees a malformed packet, it tries to disable the interface which serves the misbehaving frontend. This involves taking a mutex, which might sleep. But in recent versions of Linux the guest transmit path is handled by NAPI in softirq context, where sleeping i...

4.4CVSS6.2AI score0.00346EPSS
Exploits1
Xen Project
Xen Project
•added 2014/01/23 12:0 p.m.•59 views

Out-of-memory condition yielding memory corruption during IRQ setup

ISSUE DESCRIPTION When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption. IMPACT Malicious guest administrators can...

4.4CVSS6.5AI score0.00444EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2023/10/10 12:0 p.m.•58 views

x86/AMD: Debug Mask handling

ISSUE DESCRIPTION AMD CPUs since 2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1 CVE-2023-34327 - An HVM vCPU can end up operating in the...

5.5CVSS6.6AI score0.00256EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•58 views

oxenstored memory leak in reset_watches

ISSUE DESCRIPTION When acting upon a guest XSRESETWATCHES request, not all tracking information is freed. IMPACT A guest can cause unbounded memory usage in oxenstored. This can lead to a system-wide DoS. VULNERABLE SYSTEMS All version of Xen since 4.6 are vulnerable. Only systems using the Ocaml...

5.5CVSS2.7AI score0.004EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/09/22 12:0 p.m.•58 views

x86 pv: Crash when handling guest access to MSR_MISC_ENABLE

ISSUE DESCRIPTION When a guest accesses certain Model Specific Registers, Xen first reads the value from hardware to use as the basis for auditing the guest access. For the MISCENABLE MSR, which is an Intel specific MSR, this MSR read is performed without error handling for a GP fault, which is t...

6CVSS1.5AI score0.00324EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/09/22 12:0 p.m.•58 views

race when migrating timers between x86 HVM vCPU-s

ISSUE DESCRIPTION When migrating timers of x86 HVM guests between its vCPU-s, the locking model used allows for a second vCPU of the same guest also operating on the timers to release a lock that it didn't acquire. IMPACT The most likely effect of the issue is a hang or crash of the hypervisor,...

4.7CVSS1.3AI score0.00261EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/08/24 12:0 p.m.•58 views

QEMU: usb: out-of-bounds r/w access issue

ISSUE DESCRIPTION An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when 'USBDevice-setuplen' exceeds the USBDevice-databuf4096, in dotokenin,out routines. IMPACT A guest user may use this flaw to crash the QEM...

5CVSS1.6AI score0.05447EPSS
Exploits1
Xen Project
Xen Project
•added 2020/01/14 2:21 p.m.•58 views

arm: a CPU may speculate past the ERET instruction

ISSUE DESCRIPTION Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by lower privilege level i.e guest kernel/userspace at the point of the ERET, this could...

1.8AI score
Exploits0
Xen Project
Xen Project
•added 2016/06/02 12:0 p.m.•58 views

Unsanitised driver domain input in libxl device handling

ISSUE DESCRIPTION libxl's device-handling code freely uses and trusts information from the backend directories in xenstore. The backend domain driver domain can store bogus data in the backend, causing libxl's enquiry functions to fail, confusing management tools. A driver domain can also remove...

4.7CVSS1.6AI score0.00297EPSS
Exploits0
Xen Project
Xen Project
•added 2015/01/29 11:14 a.m.•58 views

arm: vgic: incorrect rate limiting of guest triggered logging

ISSUE DESCRIPTION On ARM systems the code which deals with virtualising the GIC distributor would, under various circumstances, log messages on a guest accessible code path without appropriate rate limiting. IMPACT A malicious guest could cause repeated logging to the hypervisor console, leading ...

2.1CVSS8.3AI score0.00411EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/04/22 3:5 p.m.•58 views

Hardware features unintentionally exposed to guests on ARM

ISSUE DESCRIPTION When running on an ARM platform Xen was not correctly configuring the hardware virtualisation platform and therefore did not prevent guests from accessing various hardware features including cache control, coprocessors, debug registers and various processor specific registers...

5.5CVSS6.5AI score0.00616EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/06/26 12:0 p.m.•58 views

Page reference counting error due to XSA-45/CVE-2013-1918 fixes

ISSUE DESCRIPTION The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke page reference counting by not retaining a reference on pages stored for deferred cleanup. This would lead to the hypervisor prematurely attempting to free the page, generally crashing upon finding the...

7.4CVSS0.7AI score0.00583EPSS
Exploits0
Xen Project
Xen Project
•added 2021/08/25 12:0 p.m.•57 views

long running loops in grant table handling

ISSUE DESCRIPTION In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren't in use...

5.5CVSS0.3AI score0.00348EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•57 views

FIFO event channels control block related ordering

ISSUE DESCRIPTION Recording of the per-vCPU control block mapping maintained by Xen and that of pointers into the control block is reversed. The consumer assumes, seeing the former initialized, that the latter are also ready for use. IMPACT Malicious or buggy guest kernels can mount a Denial of...

6.2CVSS3.3AI score0.00373EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/09/22 12:0 p.m.•57 views

races with evtchn_reset()

ISSUE DESCRIPTION Uses of EVTCHNOPreset potentially by a guest on itself or XENDOMCTLsoftreset by itself covered by XSA-77 can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. IMPACT In particular x86 PV guests may ...

7CVSS4AI score0.00286EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/09/22 12:0 p.m.•57 views

x86 pv guest kernel DoS via SYSENTER

ISSUE DESCRIPTION The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a GP fault, and incorrectly delivers it twice to the guest. This causes the guest kernel to observe a kernel-privilege GP fault typically fatal rather than ...

5.5CVSS1.4AI score0.00512EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•57 views

arm: vgic: Out-of-bound access when sending SGIs

ISSUE DESCRIPTION ARM guests can send SGI i.e. IPI targeting a list of vCPUs using the MMIO register GICDSGIR GICv2 or System Register ICCSGI1R GICv3. However, the emulation code does not sanitize the list and will directly access an array without checking whether the array index is within bounds...

6.5CVSS2.4AI score0.01804EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•57 views

Races in the grant table unmap code

ISSUE DESCRIPTION We have discovered two bugs in the code unmapping grant references. When a grant had been mapped twice by a backend domain, and then unmapped by two concurrent unmap calls, the frontend may be informed that the page had no further mappings when the first call completed rather th...

9.8CVSS0.4AI score0.02815EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/12/21 12:0 p.m.•57 views

x86 PV guests may be able to mask interrupts

ISSUE DESCRIPTION Certain PV guest kernel operations page table writes in particular need emulation, and use Xen's general x86 instruction emulator. This allows a malicious guest kernel which asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF from the state used to...

6CVSS0.3AI score0.0043EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/02/17 12:0 p.m.•57 views

x86: inconsistent cachability flags on guest mappings

ISSUE DESCRIPTION Multiple mappings of the same physical page with different cachability setting can cause problems. While one category risk of using stale data affects only guests themselves and hence avoiding this can be left for them to control, the other category being Machine Check exception...

6.8CVSS7.2AI score0.01481EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/07/19 12:0 p.m.•57 views

Excessive time to disable caching with HVM guests with PCI passthrough

ISSUE DESCRIPTION HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has bee...

5.7CVSS0.6AI score0.00621EPSS
Exploits0
Xen Project
Xen Project
•added 2023/05/16 3:14 p.m.•56 views

Mishandling of guest SSBD selection on AMD hardware

ISSUE DESCRIPTION The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to...

3.3CVSS7AI score0.00264EPSS
Exploits0
Xen Project
Xen Project
•added 2021/08/25 12:0 p.m.•56 views

grant table v2 status pages may remain accessible after de-allocation

ISSUE DESCRIPTION Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched back from v2 to v1. The freeing of such...

7.8CVSS0.3AI score0.00263EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/12/19 3:37 p.m.•56 views

x86: Mishandling of SYSCALL singlestep during emulation

ISSUE DESCRIPTION The typical behaviour of singlestepping exceptions is determined at the start of the instruction, with a DB trap being raised at the end of the instruction. SYSCALL and SYSRET, although we don't implement it behave differently because the typical behaviour allows userspace to...

7.8CVSS0.9AI score0.00424EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/10/29 11:59 a.m.•56 views

x86: Uncontrolled creation of large page mappings by PV guests

ISSUE DESCRIPTION The code to validate level 2 page table entries is bypassed when certain conditions are satisfied. This means that a PV guest can create writeable mappings using super page mappings. Such writeable mappings can violate Xen intended invariants for pages which Xen is supposed to...

7.2CVSS7.7AI score0.00427EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/08/03 12:0 p.m.•56 views

Use after free in QEMU/Xen block unplug protocol

ISSUE DESCRIPTION When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer. IMPACT An HVM guest which has access to an emulated IDE disk device may be able to...

7.2CVSS6.6AI score0.00426EPSS
Exploits0
Xen Project
Xen Project
•added 2014/11/20 4:26 p.m.•56 views

Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

ISSUE DESCRIPTION An error handling path in the processing of MMUMACHPHYSUPDATE failed to drop a page reference which was acquired in an earlier processing step. IMPACT Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack...

7.1CVSS6.2AI score0.02197EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2024/01/22 6:32 p.m.•55 views

Linux: netback processing of zero-length transmit fragment

ISSUE DESCRIPTION Transmit requests in Xen's virtual network protocol can consist of multiple parts. While not really useful, except for the initial part any of them may be of zero length, i.e. carry no data at all. Besides a certain initial portion of the to be transferred data, these parts are...

7.5CVSS7.5AI score0.01177EPSS
Exploits0
Xen Project
Xen Project
•added 2023/01/25 2:56 p.m.•56 views

Guests can cause Xenstore crash via soft reset

ISSUE DESCRIPTION When a guest issues a "Soft Reset" e.g. for performing a kexec the libxl based Xen toolstack will normally perform a XSRELEASE Xenstore operation. Due to a bug in xenstored this can result in a crash of xenstored. Any other use of XSRELEASE will have the same impact. IMPACT A...

7.5CVSS1.3AI score0.01362EPSS
Exploits0
Xen Project
Xen Project
•added 2020/09/22 12:0 p.m.•55 views

out of bounds event channels available to 32-bit x86 domains

ISSUE DESCRIPTION The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm either bitness ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared between guest and Xen...

5.5CVSS0.2AI score0.00426EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/12/08 11:29 a.m.•55 views

long running memory operations on ARM

ISSUE DESCRIPTION Certain HYPERVISORmemoryop subops take page order inputs, with so far insufficient enforcement of limits thereof. In particular, for all of XENMEMincreasereservation, XENMEMpopulatephysmap, and XENMEMexchange the order was limited to 9 only for guests without physical devices...

7.2CVSS8.5AI score0.00419EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/12/08 11:29 a.m.•55 views

XENMEM_exchange error handling issues

ISSUE DESCRIPTION Error handling in the operation may involve handing back pages to the domain. This operation may fail when in parallel the domain gets torn down. So far this failure unconditionally resulted in the host being brought down due to an internal error being assumed. This is...

4.7CVSS8.2AI score0.00383EPSS
Exploits0Affected Software1
Total number of security vulnerabilities482