482 matches found
arm: Race between domain destruction and memory allocation decrease
ISSUE DESCRIPTION While freeing the memory associated with a domain during domain destruction Xen could race with a toolstack domain reducing the amount of memory associated with that same domain via the XENMEMdecreasereservation. In the case where this race is hit the host will crash. The race i...
printk is not rate-limited in xenmem_add_to_physmap_one
ISSUE DESCRIPTION XENMAPSPACEgmfnforeign dumps the p2m, on ARM, when it fails to get a reference on the foreign page. However, dumpp2mlookup does not use rate-limited printk. A malicious infrastructure domain, which is allowed to map memory of a foreign guest, would be able to flood the Xen...
Insufficient restrictions on certain MMU update hypercalls
ISSUE DESCRIPTION MMU update operations targeting page tables are intended to be used on PV guests only. The lack of a respective check made it possible for such operations to access certain function pointers which remain NULL when the target guest is using Hardware Assisted Paging HAP. IMPACT...
Hypervisor heap contents leaked to guests
ISSUE DESCRIPTION While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would...
integer overflow in several XSM/Flask hypercalls
ISSUE DESCRIPTION The FLASKGET,SETBOOL, FLASKUSER and FLASKCONTEXTTOSID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an...
x86/Intel: Gather Data Sampling
ISSUE DESCRIPTION A researcher has discovered Gather Data Sampling, a transient execution side-channel whereby the AVX GATHER instructions can forward the content of stale vector registers to dependent instructions. The physical register file is a structure competitively shared between sibling...
x86/HVM pinned cache attributes mis-handling
ISSUE DESCRIPTION To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such...
Racy interactions between dirty vram tracking and paging log dirty hypercalls
ISSUE DESCRIPTION Activation of log dirty mode done by XENDMOPtrackdirtyvram was named HVMOPtrackdirtyvram before Xen 4.9 is racy with ongoing log dirty hypercalls. A suitably timed call to XENDMOPtrackdirtyvram can enable log dirty while another CPU is still in the process of tearing down the...
inverted code paths in x86 dirty VRAM tracking
ISSUE DESCRIPTION An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. IMPACT A malicious or buggy HVM guest may cause the hypervisor to crash, resulting in Denial of Service DoS...
qemu ioport array overflow
ISSUE DESCRIPTION The code in qemu which implements ioport read/write looks up the specified ioport address in a dispatch table. The argument to the dispatch function is a uint32t, and is used without a range check, even though the table has entries for only 2^16 ioports. When qemu is used as a...
x86 HVM: Overflow of sh_ctxt->seg_reg[]
ISSUE DESCRIPTION x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state. IMPACT A malicious HVM guest administrator can...
Unrestricted qemu logging
ISSUE DESCRIPTION When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large. IMPACT The disk...
Off-by-one error in FLASK_AVC_CACHESTAT hypercall
ISSUE DESCRIPTION The FLASKAVCCACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested. IMPACT An attacker can cause the hypervisor to read past the end of an array. This may result in...
Multiple vulnerabilities in libelf PV kernel handling
ISSUE DESCRIPTION The ELF parser used by the Xen tools to read domains' kernels and construct domains has multiple integer overflows, pointer dereferences based on calculations from unchecked input values, and other problems. This corresponds to the following CVEs: CVE-2013-2194 XEN XSA-55 intege...
Linux/xen-netfront: Memory leak due to missing cleanup function
ISSUE DESCRIPTION In netfront, xennetalloconerxbuffer failed to call the appropriate clean-up function, resulting in a memory leak. IMPACT A malicious guest userspace process can exhaust memory resources within the guest kernel, potentially leading to a guest crash Denial of Service. It is not...
x86/AMD: missing IOMMU TLB flushing
ISSUE DESCRIPTION The caching invalidation guidelines from the AMD-Vi specification 48882—Rev 3.07-PUB—Oct 2022 is incorrect on some hardware, as devices will malfunction see stale DMA mappings if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can poi...
NULL pointer deref in event channel poll
ISSUE DESCRIPTION When polling event channels, in general arbitrary port numbers can be specified. Specifically, there is no requirement that a polled event channel ports has ever been created. When the code was generalised from an earlier implementation, introducing some intermediate pointers, a...
Insufficient TLB flushing in VT-d (iommu) code
ISSUE DESCRIPTION An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT Malicious guest...
x86 HVM hypercalls may trigger Xen bug check
ISSUE DESCRIPTION Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of...
inadequate grant-v2 status frames array bounds check
ISSUE DESCRIPTION The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit gues...
x86: TSX Async Abort protections not restored after S3
ISSUE DESCRIPTION This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX the default and preferred option requires selecting a non-default setting in MSRTSXCTRL. This setti...
Linux ioperm bitmap context switching issues
ISSUE DESCRIPTION Linux 5.5 overhauled the internal state handling for the iopl and ioperm system calls. Unfortunately, one aspect on context switch wasn't wired up correctly for the Xen PVOps case. IMPACT IO port permissions don't get rescinded when context switching to an unprivileged task...
x86 software interrupt injection mis-handled
ISSUE DESCRIPTION There are two closely-related bugs. When Xen emulates instructions which generate software interrupts it needs to perform a privilege check involving an IDT lookup. This check is sometimes erroneously conducted as if the IDT had the format for a 32-bit guest, when in fact it is ...
libvchan failure handling malicious ring indexes
ISSUE DESCRIPTION libvchan a library for inter-domain communication does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring. IMPACT libvchan-using facilities are...
Buffer overflow in xencontrol Python bindings affecting xend
ISSUE DESCRIPTION The Python bindings for the xcvcpusetaffinity call do not properly check their inputs. Systems which allow untrusted administrators to configure guest vcpu affinity may be exploited to trigger a buffer overrun and corrupt memory. IMPACT An attacker who is able to configure a...
certain VT-d IOMMUs may not work in shared page table mode
ISSUE DESCRIPTION For efficiency reasons, address translation control structures page tables may and, on suitable hardware, by default will be shared between CPUs, for second-level translation EPT, and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU ma...
IOMMU page mapping issues on x86
ISSUE DESCRIPTION Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply ...
XAPI: guest-triggered excessive memory usage
ISSUE DESCRIPTION Certain xenstore keys provide feedback from the guest, and are therefore watched by toolstack. Specifically, keys are watched by xenopsd, and data are forward via RPC through message-switch to xapi. The watching logic in xenopsd sends one RPC update containing all data, any time...
qemu incautious about shared ring processing
ISSUE DESCRIPTION The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor which the guest under control can obtain mappings of can be fetched twice during which time the guest can alter the...
x86: unintentional logging upon guest changing callback method
ISSUE DESCRIPTION HYPERVISORhvmop sub-op HVMOPsetparam's HVMPARAMCALLBACKIRQ operation intends to log the new callback method in debug builds only. The full message, however, is split into two parts, the second one of which didn't get suppressed on non-debug builds as would have been intended...
Flaws in handling traps from 32-bit userspace on 64-bit ARM
ISSUE DESCRIPTION When handling a trap from guest mode on ARM, Xen asserts that the current guest mode must match the domain address width. This assertion is false when a guest takes a trap from a 32-bit userspace running on a 64-bit kernel in a 64-bit domain. IMPACT Any user in a guest which is...
Long latency virtual-mmu operations are not preemptible
ISSUE DESCRIPTION Some MMU virtualization operations on HVM guests must process every page assigned to a guest. For larger guests, this can tie up a vcpu for a significant amount of time, as the operations are not preemptible. For guests using Hardware Assisted Paging HAP, see below this is...
VT-d: Failure to quarantine devices in !HVM builds
ISSUE DESCRIPTION Incorrect placement of a preprocessor directive in source code results in logic that doesn't operate as intended when support for HVM guests is compiled out of Xen. IMPACT When a device is removed from a domain, it is not properly quarantined and retains its access to the domain...
Guests can trigger deadlock in Linux netback driver
ISSUE DESCRIPTION The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling CVE-2022-42328. Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll bein...
xen/arm: No memory limit for dom0less domUs
ISSUE DESCRIPTION The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured. IMPACT Malicious dom0less gues...
xen/arm: Boot modules are not scrubbed
ISSUE DESCRIPTION The bootloader will load boot modules e.g. kernel, initramfs... in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not leaked from the modules, Xen must "scrub" them before handing the page over to the allocator. Unfortunately, i...
Xenstore: new domains inheriting existing node permissions
ISSUE DESCRIPTION Access rights of Xenstore nodes are per domid. Unfortunately, existing granted access rights are not removed when a domain is destroyed. This means that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the previous domains with the...
undue recursion in x86 HVM context switch code
ISSUE DESCRIPTION When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled. If the device model were to signal Xen witho...
oxenstored: node ownership can be changed by unprivileged clients
ISSUE DESCRIPTION Nodes in xenstore have an ownership. In oxenstored, a owner could give a node away. But node ownership has quota implications. Any guest can run another guest out of quota, or create an unbounded number of nodes owned by dom0, thus running xenstored out of memory IMPACT A...
stack corruption from XSA-346 change
ISSUE DESCRIPTION One of the two changes for XSA-346 introduced an on-stack array. The check for guarding against overrunning this array was off by one, allowing for corruption of the first stack slot immediately following this array. IMPACT A malicious or buggy HVM or PVH guest can cause Xen to...
arm: Host crash caused by VMID exhaustion
ISSUE DESCRIPTION VMIDs are a finite hardware resource, and allocated as part of domain creation. If no free VMIDs are available when trying to create a new domain, a bug in the error path causes a NULL pointer to be used, resulting in a Data Abort and host crash. IMPACT Attempting to create too...
x86/AMD: Zenbleed
ISSUE DESCRIPTION Researchers at Google have discovered Zenbleed, a hardware bug causing corruption of the vector registers. When a VZEROUPPER instruction is discarded as part of a bad transient execution path, its effect on internal tracking are not unwound correctly. This manifests as the wrong...
x86 pv: Race condition in typeref acquisition
ISSUE DESCRIPTION Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the log...
oxenstored: permissions not checked on root node
ISSUE DESCRIPTION In the Ocaml xenstored implementation, the internal representation of the tree has special cases for the root node, because this node has no parent. Unfortunately, permissions were not checked for certain operations on the root node. Unprivileged guests can get and modify...
stale P2M mappings due to insufficient error checking
ISSUE DESCRIPTION Certain actions require removing pages from a guest's P2M Physical-to-Machine mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation to replace a large mapping with individual smaller ones. If...
libxl leak of pv kernel and initrd on error
ISSUE DESCRIPTION When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain e.g. pygrub libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain. However if building the domain...
several hypercalls do not validate input GFNs
ISSUE DESCRIPTION The function getpagefromgfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash. IMPACT A malicious guest administrator of a PV guest can cause Xen t...
x86: speculative vulnerability in 32bit SYSCALL path
ISSUE DESCRIPTION Due to an oversight in the very original Spectre/Meltdown security work XSA-254, one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. IMPACT An...
PoD operations on misaligned GFNs
ISSUE DESCRIPTION x86 HVM and PVH guests may be started in populate-on-demand PoD mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specifie...
inappropriate x86 IOMMU timeout detection / handling
ISSUE DESCRIPTION IOMMUs process commands issued to them in parallel with the operation of the CPUs issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the...