482 matches found
stale P2M mappings due to insufficient error checking
ISSUE DESCRIPTION Certain actions require removing pages from a guest's P2M Physical-to-Machine mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation to replace a large mapping with individual smaller ones. If...
PCI MSI mask bits inadvertently exposed to guests
ISSUE DESCRIPTION The mask bits optionally available in the PCI MSI capability structure are used by the hypervisor to occasionally suppress interrupt delivery. Unprivileged guests were, however, nevertheless allowed direct control of these bits. IMPACT Interrupts may be observed by Xen at...
Flaw in handling unknown system register access from 64-bit userspace on ARM
ISSUE DESCRIPTION When handling an unknown system register access from 64-bit userspace Xen would incorrectly return to the second instruction of the trap handler for faults in kernel space rather than the first instruction of the trap handler for faults in 64-bit userspace. Any user in a guest...
several hypercalls do not validate input GFNs
ISSUE DESCRIPTION The function getpagefromgfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash. IMPACT A malicious guest administrator of a PV guest can cause Xen t...
inappropriate x86 IOMMU timeout detection / handling
ISSUE DESCRIPTION IOMMUs process commands issued to them in parallel with the operation of the CPUs issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the...
Xenstore: guests can disturb domain cleanup
ISSUE DESCRIPTION Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately this is done by just removing the guest from xenstored's internal management, resulting in th...
x86: Mishandling of instruction pointer truncation during emulation
ISSUE DESCRIPTION When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite...
GNTTABOP_swap_grant_ref operation misbehavior
ISSUE DESCRIPTION With the introduction of version 2 grant table operations, a version check became necessary for most grant table related hypercalls. The GNTTABOPswapgrantref call was lacking such a check. As a result, the subsequent code behaved as if version 2 was in use, when a guest issued...
x86 PV guest INVLPG-like flushes may leave stale TLB entries
ISSUE DESCRIPTION x86 PV guest kernels may use hypercalls with INVLPG-like behavior to invalidate TLB entries even after changes to non-leaf page tables. Such changes to non-leaf page tables will, however, also render stale possible TLB entries created by Xen's internal use of linear page tables ...
unsafe AMD IOMMU page table updates
ISSUE DESCRIPTION AMD IOMMU page table entries are updated in a step by step manner, without regard to them being potentially in use by the IOMMU. Therefore it was possible that the IOMMU would read and then use a half-updated entry. Furthermore, updates to Device Table entries lacked suitable...
page transfer may allow PV guest to elevate privilege
ISSUE DESCRIPTION Domains controlling other domains are permitted to map pages owned by the domain being controlled. If the controlling domain unmaps such a page without flushing the TLB, and if soon after the domain being controlled transfers this page to another PV domain via GNTTABOPtransfer o...
ARM guest disabling interrupt may crash Xen
ISSUE DESCRIPTION Virtual interrupt injection could be triggered by a guest when sending an SGI e.g IPI to any vCPU or by configuring timers. When the virtual interrupt is masked, a missing check in the injection path may result in reading invalid hardware register or crashing the host. IMPACT A...
x86 CMPXCHG8B emulation fails to ignore operand size override
ISSUE DESCRIPTION The x86 instruction CMPXCHG8B is supposed to ignore legacy operand size overrides; it only honors the REX.W override making it CMPXCHG16B. So, the operand size is always 8 or 16. When support for CMPXCHG16B emulation was added to the instruction emulator, this restriction on the...
P2M pool freeing may take excessively long
ISSUE DESCRIPTION The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing. IMPACT A group of...
possible null dereference when parsing vif ratelimiting info
ISSUE DESCRIPTION The libxlu library function xluvifparserate does not properly handle inputs which consist solely of the '@' character, leading to a NULL pointer dereference. IMPACT A toolstack which allows untrusted users to specify an arbitrary configuration for the VIF rate can be subjected t...
x86: Native Branch History Injection
ISSUE DESCRIPTION In August 2022, researchers at VU Amsterdam disclosed Spectre-BHB. Spectre-BHB was discussed in XSA-398. At the time, the susceptibility of Xen to Spectre-BHB was uncertain so no specific action was taken in XSA-398. However, various changes were made thereafter in upstream Xen ...
x86: BTC/SRSO fixes not fully effective
ISSUE DESCRIPTION The fixes for XSA-422 Branch Type Confusion and XSA-434 Speculative Return Stack Overflow are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown XPTI deliberately left interrupts enabl...
Multiple vulnerabilities in libfsimage disk handling
ISSUE DESCRIPTION libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack root in a priviledged domain. At least one issue has been reported to the Xen...
top-level shadow reference dropped too early for 64-bit PV guests
ISSUE DESCRIPTION For migration as well as to work around kernels unaware of L1TF see XSA-273, PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this...
Xenstore: Guests can create arbitrary number of nodes via transactions
ISSUE DESCRIPTION In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been...
Arm guests can cause Dom0 DoS via PV devices
ISSUE DESCRIPTION When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to caus...
grant table v2 status pages may remain accessible after de-allocation (take two)
ISSUE DESCRIPTION Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched back from v2 to v1. The freeing of such...
Missing memory barriers when accessing/allocating an event channel
ISSUE DESCRIPTION Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such sequence is missing appropriate memory barrier e.g smpmb to prevent both the compiler and CPU to re-order access. IMPACT A malicious guest may be able to cause a...
lack of preemption in evtchn_reset() / evtchn_destroy()
ISSUE DESCRIPTION In particular the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these when resetting all event channels or when cleaning up after the guest may take extended periods of time. So far there was no arrangement for...
Missing alignment check in VCPUOP_register_vcpu_info
ISSUE DESCRIPTION The hypercall VCPUOPregistervcpuinfo is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen address space so it can be directly accessed. On Arm, the region is accessed with instructions which require a specific alignment...
use after free in FIFO event channel code
ISSUE DESCRIPTION When the EVTCHNOPinitcontrol operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations EVTCHNOPexpandarray or another EVTCHNOPinitcontrol, upon finding...
x86: Missing SMAP whitelisting in 32-bit exception / event delivery
ISSUE DESCRIPTION Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exception...
x86 shadow plus log-dirty mode use-after-free
ISSUE DESCRIPTION In environments where host assisted address translation is necessary but Hardware Assisted Paging HAP is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To...
insufficient TLB flush for x86 PV guests in shadow mode
ISSUE DESCRIPTION For migration as well as to work around kernels unaware of L1TF see XSA-273, PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions...
issues with partially successful P2M updates on x86
ISSUE DESCRIPTION x86 HVM and PVH guests may be started in populate-on-demand PoD mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specifie...
x86 64-bit bit test instruction emulation broken
ISSUE DESCRIPTION The x86 instructions BT, BTC, BTR, and BTS, when used with a destination memory operand and a source register rather than an immediate operand, access a memory location offset from that specified by the memory operand as specified by the high bits of the register source. When Xe...
CR0.TS and CR0.EM not always honored for x86 HVM guests
ISSUE DESCRIPTION Instructions touching FPU, MMX, or XMM registers are required to raise a Device Not Available Exception NM when either CR0.EM or CR0.TS are set. Their AVX or AVX-512 extensions would consider only CR0.TS. While during normal operation this is ensured by the hardware, if a guest...
libxl allows guest write access to sensitive console related xenstore keys
ISSUE DESCRIPTION The libxenlight libxl toolstack library does not correctly set permissions on xenstore keys relating to paravirtualised and emulated serial console devices. This could allow a malicious guest administrator to change values in xenstore which the host later relies on being...
arm32: The cache may not be properly cleaned/invalidated
ISSUE DESCRIPTION Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes such as the ones during scrubbing have reached memory before handing over the page to a guest. Unfortunately, the...
Oxenstored 32->31 bit integer truncation issues
ISSUE DESCRIPTION Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates off the most significant bit, and then creates...
Arm: unbounded memory consumption for 2nd-level page tables
ISSUE DESCRIPTION Certain actions require e.g. removing pages from a guest's P2M Physical-to-Machine mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation to replace a large mapping with individual smaller ones...
Incorrect error handling in event channel port allocation
ISSUE DESCRIPTION The allocation of an event channel port may fail for multiple reasons: 1 Port is already in use 2 The memory allocation failed 3 The port we try to allocate is higher than what is supported by the ABI e.g 2L or FIFO used by the guest or the limit set by an administrator...
XAPI open file limit DoS
ISSUE DESCRIPTION It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other trusted clients, and blocks XAPI from carrying out any tasks that require the opening of file descriptors...
Xen hypercall page unsafe against speculative attacks
ISSUE DESCRIPTION Xen guests need to use different processor instructions to make explicit calls into the Xen hypervisor depending on guest type and/or CPU vendor. In order to hide those differences, the hypervisor can fill a hypercall page with the needed instruction sequences, allowing the gues...
x86: Incorrect logic for BTC/SRSO mitigations
ISSUE DESCRIPTION Because of a logical error in XSA-407 Branch Type Confusion, the mitigation is not applied properly when it is intended to be used. XSA-434 Speculative Return Stack Overflow uses the same infrastructure, so is equally impacted. For more details, see:...
Linux: buffer overrun in netback due to unusual packet
ISSUE DESCRIPTION The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split...
arm: guest_physmap_remove_page not removing the p2m mappings
ISSUE DESCRIPTION The functions to remove one or more entries from a guest p2m pagetable on Arm p2mremovemapping, guestphysmapremovepage, and p2msetentry with mfn set to INVALIDMFN do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a vali...
PCI devices with RMRRs not deassigned correctly
ISSUE DESCRIPTION Certain PCI devices in a system might be assigned Reserved Memory Regions specified via Reserved Memory Region Reporting, "RMRR". These are typically used for platform tasks such as legacy USB emulation. If such a device is passed through to a guest, then on guest shutdown the...
non-atomic modification of live EPT PTE
ISSUE DESCRIPTION When mapping guest EPT nested paging tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially-written PTE to the hardware, which an attacker might be able ...
x86: PKRU and BND* leakage between vCPU-s
ISSUE DESCRIPTION Memory Protection Extensions MPX and Protection Key PKU are features in newer processors, whose state is intended to be per-thread and context switched along with all other XSAVE state. Xen's vCPU context switch code would save and restore the state only if the guest had set the...
xenstore denial of service via repeated update
ISSUE DESCRIPTION xenstored supports transactions, such that if writes which would invalidate assumptions of a transaction occur, the entire transaction fails. Typical response on a failed transaction is to simply retry the transaction until it succeeds. Unprivileged domains may issue writes to...
Xenstore: Guests can crash xenstored
ISSUE DESCRIPTION Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the...
Insufficient cleanup of passed-through device IRQs
ISSUE DESCRIPTION The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the...
guests may exceed their designated memory limit
ISSUE DESCRIPTION When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be th...
Another race in XENMAPSPACE_grant_table handling
ISSUE DESCRIPTION Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches back from v2 to v1. Freeing such pages...