Lucene search
K
XenMost viewed

482 matches found

Xen Project
Xen Project
•added 2015/10/29 11:59 a.m.•55 views

arm: Race between domain destruction and memory allocation decrease

ISSUE DESCRIPTION While freeing the memory associated with a domain during domain destruction Xen could race with a toolstack domain reducing the amount of memory associated with that same domain via the XENMEMdecreasereservation. In the case where this race is hit the host will crash. The race i...

4.7CVSS8.5AI score0.00279EPSS
Exploits0
Xen Project
Xen Project
•added 2015/09/01 12:0 p.m.•55 views

printk is not rate-limited in xenmem_add_to_physmap_one

ISSUE DESCRIPTION XENMAPSPACEgmfnforeign dumps the p2m, on ARM, when it fails to get a reference on the foreign page. However, dumpp2mlookup does not use rate-limited printk. A malicious infrastructure domain, which is allowed to map memory of a foreign guest, would be able to flood the Xen...

2.1CVSS8AI score0.00405EPSS
Exploits0
Xen Project
Xen Project
•added 2014/11/18 12:0 p.m.•55 views

Insufficient restrictions on certain MMU update hypercalls

ISSUE DESCRIPTION MMU update operations targeting page tables are intended to be used on PV guests only. The lack of a respective check made it possible for such operations to access certain function pointers which remain NULL when the target guest is using Hardware Assisted Paging HAP. IMPACT...

5.4CVSS9AI score0.02221EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/06/17 11:44 a.m.•55 views

Hypervisor heap contents leaked to guests

ISSUE DESCRIPTION While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would...

2.7CVSS5.8AI score0.00684EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/02/06 12:0 p.m.•55 views

integer overflow in several XSM/Flask hypercalls

ISSUE DESCRIPTION The FLASKGET,SETBOOL, FLASKUSER and FLASKCONTEXTTOSID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an...

5.2CVSS5.3AI score0.00547EPSS
Exploits0
Xen Project
Xen Project
•added 2023/08/08 5:0 p.m.•54 views

x86/Intel: Gather Data Sampling

ISSUE DESCRIPTION A researcher has discovered Gather Data Sampling, a transient execution side-channel whereby the AVX GATHER instructions can forward the content of stale vector registers to dependent instructions. The physical register file is a structure competitively shared between sibling...

6.5CVSS6.8AI score0.03882EPSS
Exploits1
Xen Project
Xen Project
•added 2023/03/21 12:0 p.m.•54 views

x86/HVM pinned cache attributes mis-handling

ISSUE DESCRIPTION To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such...

8.6CVSS6.8AI score0.01189EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/04/05 12:0 p.m.•54 views

Racy interactions between dirty vram tracking and paging log dirty hypercalls

ISSUE DESCRIPTION Activation of log dirty mode done by XENDMOPtrackdirtyvram was named HVMOPtrackdirtyvram before Xen 4.9 is racy with ongoing log dirty hypercalls. A suitably timed call to XENDMOPtrackdirtyvram can enable log dirty while another CPU is still in the process of tearing down the...

5.6CVSS0.5AI score0.00232EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/07/07 12:0 p.m.•54 views

inverted code paths in x86 dirty VRAM tracking

ISSUE DESCRIPTION An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. IMPACT A malicious or buggy HVM guest may cause the hypervisor to crash, resulting in Denial of Service DoS...

6.5CVSS0.3AI score0.00413EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/12/06 12:0 p.m.•54 views

qemu ioport array overflow

ISSUE DESCRIPTION The code in qemu which implements ioport read/write looks up the specified ioport address in a dispatch table. The argument to the dispatch function is a uint32t, and is used without a range check, even though the table has entries for only 2^16 ioports. When qemu is used as a...

7.5CVSS0.00364EPSS
Exploits0
Xen Project
Xen Project
•added 2016/09/08 12:0 p.m.•54 views

x86 HVM: Overflow of sh_ctxt->seg_reg[]

ISSUE DESCRIPTION x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state. IMPACT A malicious HVM guest administrator can...

4.1CVSS0.00392EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/05/23 5:9 p.m.•54 views

Unrestricted qemu logging

ISSUE DESCRIPTION When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large. IMPACT The disk...

6.5CVSS6.6AI score0.00471EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/02/06 12:0 p.m.•54 views

Off-by-one error in FLASK_AVC_CACHESTAT hypercall

ISSUE DESCRIPTION The FLASKAVCCACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested. IMPACT An attacker can cause the hypervisor to read past the end of an array. This may result in...

5.8CVSS6AI score0.00525EPSS
Exploits0
Xen Project
Xen Project
•added 2013/06/03 4:18 p.m.•54 views

Multiple vulnerabilities in libelf PV kernel handling

ISSUE DESCRIPTION The ELF parser used by the Xen tools to read domains' kernels and construct domains has multiple integer overflows, pointer dereferences based on calculations from unchecked input values, and other problems. This corresponds to the following CVEs: CVE-2013-2194 XEN XSA-55 intege...

6.9CVSS1.5AI score0.00375EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2024/05/07 5:12 p.m.•53 views

Linux/xen-netfront: Memory leak due to missing cleanup function

ISSUE DESCRIPTION In netfront, xennetalloconerxbuffer failed to call the appropriate clean-up function, resulting in a memory leak. IMPACT A malicious guest userspace process can exhaust memory resources within the guest kernel, potentially leading to a guest crash Denial of Service. It is not...

5.5CVSS7.1AI score0.00253EPSS
Exploits0
Xen Project
Xen Project
•added 2023/10/10 12:0 p.m.•53 views

x86/AMD: missing IOMMU TLB flushing

ISSUE DESCRIPTION The caching invalidation guidelines from the AMD-Vi specification 48882—Rev 3.07-PUB—Oct 2022 is incorrect on some hardware, as devices will malfunction see stale DMA mappings if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can poi...

7.8CVSS6.6AI score0.00287EPSS
Exploits0
Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•53 views

NULL pointer deref in event channel poll

ISSUE DESCRIPTION When polling event channels, in general arbitrary port numbers can be specified. Specifically, there is no requirement that a polled event channel ports has ever been created. When the code was generalised from an earlier implementation, introducing some intermediate pointers, a...

9.4CVSS3.4AI score0.02567EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/11/20 5:8 p.m.•53 views

Insufficient TLB flushing in VT-d (iommu) code

ISSUE DESCRIPTION An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT Malicious guest...

7.9CVSS0.5AI score0.01388EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2024/04/09 12:0 p.m.•52 views

x86 HVM hypercalls may trigger Xen bug check

ISSUE DESCRIPTION Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of...

6.5CVSS6.7AI score0.0853EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/08/25 12:0 p.m.•52 views

inadequate grant-v2 status frames array bounds check

ISSUE DESCRIPTION The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit gues...

5.5CVSS0.3AI score0.00353EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/06/08 5:0 p.m.•52 views

x86: TSX Async Abort protections not restored after S3

ISSUE DESCRIPTION This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX the default and preferred option requires selecting a non-default setting in MSRTSXCTRL. This setti...

6.5CVSS0.01019EPSS
Exploits0
Xen Project
Xen Project
•added 2020/07/16 12:0 p.m.•52 views

Linux ioperm bitmap context switching issues

ISSUE DESCRIPTION Linux 5.5 overhauled the internal state handling for the iopl and ioperm system calls. Unfortunately, one aspect on context switch wasn't wired up correctly for the Xen PVOps case. IMPACT IO port permissions don't get rescinded when context switching to an unprivileged task...

7.8CVSS0.7AI score0.00325EPSS
Exploits0
Xen Project
Xen Project
•added 2016/11/22 12:0 p.m.•52 views

x86 software interrupt injection mis-handled

ISSUE DESCRIPTION There are two closely-related bugs. When Xen emulates instructions which generate software interrupts it needs to perform a privilege check involving an IDT lookup. This check is sometimes erroneously conducted as if the IDT had the format for a 32-bit guest, when in fact it is ...

5.5CVSS0.4AI score0.0039EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/02/06 12:0 p.m.•52 views

libvchan failure handling malicious ring indexes

ISSUE DESCRIPTION libvchan a library for inter-domain communication does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring. IMPACT libvchan-using facilities are...

4.9CVSS6AI score0.00537EPSS
Exploits0
Xen Project
Xen Project
•added 2013/05/17 12:0 p.m.•52 views

Buffer overflow in xencontrol Python bindings affecting xend

ISSUE DESCRIPTION The Python bindings for the xcvcpusetaffinity call do not properly check their inputs. Systems which allow untrusted administrators to configure guest vcpu affinity may be exploited to trigger a buffer overrun and corrupt memory. IMPACT An attacker who is able to configure a...

7.4CVSS0.9AI score0.01058EPSS
Exploits0
Xen Project
Xen Project
•added 2021/11/19 2:10 p.m.•51 views

certain VT-d IOMMUs may not work in shared page table mode

ISSUE DESCRIPTION For efficiency reasons, address translation control structures page tables may and, on suitable hardware, by default will be shared between CPUs, for second-level translation EPT, and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU ma...

8.8CVSS8.4AI score0.00276EPSS
Exploits0
Xen Project
Xen Project
•added 2021/08/25 12:0 p.m.•51 views

IOMMU page mapping issues on x86

ISSUE DESCRIPTION Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply ...

6.8CVSS1.6AI score0.00378EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•51 views

XAPI: guest-triggered excessive memory usage

ISSUE DESCRIPTION Certain xenstore keys provide feedback from the guest, and are therefore watched by toolstack. Specifically, keys are watched by xenopsd, and data are forward via RPC through message-switch to xapi. The watching logic in xenopsd sends one RPC update containing all data, any time...

7.8CVSS1.2AI score0.01428EPSS
Exploits0
Xen Project
Xen Project
•added 2016/11/22 12:0 p.m.•51 views

qemu incautious about shared ring processing

ISSUE DESCRIPTION The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor which the guest under control can obtain mappings of can be fetched twice during which time the guest can alter the...

7.5CVSS2.3AI score0.00295EPSS
Exploits0
Xen Project
Xen Project
•added 2015/12/21 11:12 a.m.•51 views

x86: unintentional logging upon guest changing callback method

ISSUE DESCRIPTION HYPERVISORhvmop sub-op HVMOPsetparam's HVMPARAMCALLBACKIRQ operation intends to log the new callback method in debug builds only. The full message, however, is split into two parts, the second one of which didn't get suppressed on non-debug builds as would have been intended...

5CVSS6AI score0.01163EPSS
Exploits0
Xen Project
Xen Project
•added 2014/08/12 12:0 p.m.•51 views

Flaws in handling traps from 32-bit userspace on 64-bit ARM

ISSUE DESCRIPTION When handling a trap from guest mode on ARM, Xen asserts that the current guest mode must match the domain address width. This assertion is false when a guest takes a trap from a 32-bit userspace running on a 64-bit kernel in a 64-bit domain. IMPACT Any user in a guest which is...

4.3CVSS6AI score0.00425EPSS
Exploits0
Xen Project
Xen Project
•added 2014/08/12 12:0 p.m.•51 views

Long latency virtual-mmu operations are not preemptible

ISSUE DESCRIPTION Some MMU virtualization operations on HVM guests must process every page assigned to a guest. For larger guests, this can tie up a vcpu for a significant amount of time, as the operations are not preemptible. For guests using Hardware Assisted Paging HAP, see below this is...

4.7CVSS6.8AI score0.00428EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2024/01/30 12:0 p.m.•50 views

VT-d: Failure to quarantine devices in !HVM builds

ISSUE DESCRIPTION Incorrect placement of a preprocessor directive in source code results in logic that doesn't operate as intended when support for HVM guests is compiled out of Xen. IMPACT When a device is removed from a domain, it is not properly quarantined and retains its access to the domain...

4.1CVSS7.3AI score0.00264EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/12/06 3:17 p.m.•50 views

Guests can trigger deadlock in Linux netback driver

ISSUE DESCRIPTION The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling CVE-2022-42328. Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll bein...

6.2CVSS1.1AI score0.00213EPSS
Exploits0
Xen Project
Xen Project
•added 2021/08/25 12:0 p.m.•50 views

xen/arm: No memory limit for dom0less domUs

ISSUE DESCRIPTION The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured. IMPACT Malicious dom0less gues...

6.8CVSS2.3AI score0.0187EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/06/08 5:0 p.m.•50 views

xen/arm: Boot modules are not scrubbed

ISSUE DESCRIPTION The bootloader will load boot modules e.g. kernel, initramfs... in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not leaked from the modules, Xen must "scrub" them before handing the page over to the allocator. Unfortunately, i...

5.5CVSS0.6AI score0.00321EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•51 views

Xenstore: new domains inheriting existing node permissions

ISSUE DESCRIPTION Access rights of Xenstore nodes are per domid. Unfortunately, existing granted access rights are not removed when a domain is destroyed. This means that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the previous domains with the...

8.8CVSS8.5AI score0.00347EPSS
Exploits0
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•50 views

undue recursion in x86 HVM context switch code

ISSUE DESCRIPTION When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled. If the device model were to signal Xen witho...

5.5CVSS3.4AI score0.00438EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•50 views

oxenstored: node ownership can be changed by unprivileged clients

ISSUE DESCRIPTION Nodes in xenstore have an ownership. In oxenstored, a owner could give a node away. But node ownership has quota implications. Any guest can run another guest out of quota, or create an unbounded number of nodes owned by dom0, thus running xenstored out of memory IMPACT A...

6CVSS3AI score0.00406EPSS
Exploits0
Xen Project
Xen Project
•added 2020/11/24 12:0 p.m.•50 views

stack corruption from XSA-346 change

ISSUE DESCRIPTION One of the two changes for XSA-346 introduced an on-stack array. The check for guarding against overrunning this array was off by one, allowing for corruption of the first stack slot immediately following this array. IMPACT A malicious or buggy HVM or PVH guest can cause Xen to...

8.8CVSS3AI score0.00373EPSS
Exploits0
Xen Project
Xen Project
•added 2016/06/03 9:47 a.m.•50 views

arm: Host crash caused by VMID exhaustion

ISSUE DESCRIPTION VMIDs are a finite hardware resource, and allocated as part of domain creation. If no free VMIDs are available when trying to create a new domain, a bug in the error path causes a NULL pointer to be used, resulting in a Data Abort and host crash. IMPACT Attempting to create too...

5.6CVSS1.8AI score0.00342EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2023/07/24 4:3 p.m.•49 views

x86/AMD: Zenbleed

ISSUE DESCRIPTION Researchers at Google have discovered Zenbleed, a hardware bug causing corruption of the vector registers. When a VZEROUPPER instruction is discarded as part of a bad transient execution path, its effect on internal tracking are not unwound correctly. This manifests as the wrong...

5.5CVSS6.7AI score0.05794EPSS
Exploits1
Xen Project
Xen Project
•added 2022/06/09 12:0 p.m.•49 views

x86 pv: Race condition in typeref acquisition

ISSUE DESCRIPTION Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the log...

6.9CVSS1.3AI score0.00379EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•49 views

oxenstored: permissions not checked on root node

ISSUE DESCRIPTION In the Ocaml xenstored implementation, the internal representation of the tree has special cases for the root node, because this node has no parent. Unfortunately, permissions were not checked for certain operations on the root node. Unprivileged guests can get and modify...

8.8CVSS2.3AI score0.00304EPSS
Exploits0
Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•49 views

stale P2M mappings due to insufficient error checking

ISSUE DESCRIPTION Certain actions require removing pages from a guest's P2M Physical-to-Machine mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation to replace a large mapping with individual smaller ones. If...

10CVSS0.3AI score0.0367EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/12/08 11:29 a.m.•49 views

libxl leak of pv kernel and initrd on error

ISSUE DESCRIPTION When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain e.g. pygrub libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain. However if building the domain...

7.8CVSS8.1AI score0.02043EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2012/12/03 5:51 p.m.•49 views

several hypercalls do not validate input GFNs

ISSUE DESCRIPTION The function getpagefromgfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash. IMPACT A malicious guest administrator of a PV guest can cause Xen t...

4.7CVSS1.2AI score0.016EPSS
Exploits1Affected Software1
Xen Project
Xen Project
•added 2023/03/21 12:0 p.m.•48 views

x86: speculative vulnerability in 32bit SYSCALL path

ISSUE DESCRIPTION Due to an oversight in the very original Spectre/Meltdown security work XSA-254, one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. IMPACT An...

5.5CVSS6.7AI score0.00273EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/11/23 12:0 p.m.•48 views

PoD operations on misaligned GFNs

ISSUE DESCRIPTION x86 HVM and PVH guests may be started in populate-on-demand PoD mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specifie...

8.8CVSS8.5AI score0.00348EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/06/08 5:0 p.m.•48 views

inappropriate x86 IOMMU timeout detection / handling

ISSUE DESCRIPTION IOMMUs process commands issued to them in parallel with the operation of the CPUs issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the...

7.1CVSS2AI score0.00284EPSS
Exploits0Affected Software1
Total number of security vulnerabilities482