Lucene search
K
XenMost viewed

482 matches found

Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•48 views

stale P2M mappings due to insufficient error checking

ISSUE DESCRIPTION Certain actions require removing pages from a guest's P2M Physical-to-Machine mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation to replace a large mapping with individual smaller ones. If...

10CVSS0.3AI score0.0367EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/06/02 12:0 p.m.•48 views

PCI MSI mask bits inadvertently exposed to guests

ISSUE DESCRIPTION The mask bits optionally available in the PCI MSI capability structure are used by the hypervisor to occasionally suppress interrupt delivery. Unprivileged guests were, however, nevertheless allowed direct control of these bits. IMPACT Interrupts may be observed by Xen at...

7.8CVSS7.9AI score0.03427EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2014/08/12 12:0 p.m.•48 views

Flaw in handling unknown system register access from 64-bit userspace on ARM

ISSUE DESCRIPTION When handling an unknown system register access from 64-bit userspace Xen would incorrectly return to the second instruction of the trap handler for faults in kernel space rather than the first instruction of the trap handler for faults in 64-bit userspace. Any user in a guest...

4.6CVSS6AI score0.00402EPSS
Exploits0
Xen Project
Xen Project
•added 2012/12/03 5:51 p.m.•48 views

several hypercalls do not validate input GFNs

ISSUE DESCRIPTION The function getpagefromgfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash. IMPACT A malicious guest administrator of a PV guest can cause Xen t...

4.7CVSS1.2AI score0.016EPSS
Exploits1Affected Software1
Xen Project
Xen Project
•added 2021/06/08 5:0 p.m.•47 views

inappropriate x86 IOMMU timeout detection / handling

ISSUE DESCRIPTION IOMMUs process commands issued to them in parallel with the operation of the CPUs issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the...

7.1CVSS2AI score0.00284EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/12/15 12:0 p.m.•47 views

Xenstore: guests can disturb domain cleanup

ISSUE DESCRIPTION Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately this is done by just removing the guest from xenstored's internal management, resulting in th...

6.5CVSS1AI score0.0037EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/09/08 12:0 p.m.•47 views

x86: Mishandling of instruction pointer truncation during emulation

ISSUE DESCRIPTION When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite...

8.2CVSS0.6AI score0.00425EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2015/06/11 12:0 p.m.•47 views

GNTTABOP_swap_grant_ref operation misbehavior

ISSUE DESCRIPTION With the introduction of version 2 grant table operations, a version check became necessary for most grant table related hypercalls. The GNTTABOPswapgrantref call was lacking such a check. As a result, the subsequent code behaved as if version 2 was in use, when a guest issued...

4.9CVSS8.8AI score0.00439EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/10/20 12:0 p.m.•46 views

x86 PV guest INVLPG-like flushes may leave stale TLB entries

ISSUE DESCRIPTION x86 PV guest kernels may use hypercalls with INVLPG-like behavior to invalidate TLB entries even after changes to non-leaf page tables. Such changes to non-leaf page tables will, however, also render stale possible TLB entries created by Xen's internal use of linear page tables ...

5.3CVSS0.2AI score0.00353EPSS
Exploits0
Xen Project
Xen Project
•added 2020/10/20 12:0 p.m.•46 views

unsafe AMD IOMMU page table updates

ISSUE DESCRIPTION AMD IOMMU page table entries are updated in a step by step manner, without regard to them being potentially in use by the IOMMU. Therefore it was possible that the IOMMU would read and then use a half-updated entry. Furthermore, updates to Device Table entries lacked suitable...

7.8CVSS1.1AI score0.00251EPSS
Exploits0
Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•46 views

page transfer may allow PV guest to elevate privilege

ISSUE DESCRIPTION Domains controlling other domains are permitted to map pages owned by the domain being controlled. If the controlling domain unmaps such a page without flushing the TLB, and if soon after the domain being controlled transfers this page to another PV domain via GNTTABOPtransfer o...

10CVSS7.1AI score0.02668EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•46 views

ARM guest disabling interrupt may crash Xen

ISSUE DESCRIPTION Virtual interrupt injection could be triggered by a guest when sending an SGI e.g IPI to any vCPU or by configuring timers. When the virtual interrupt is masked, a missing check in the injection path may result in reading invalid hardware register or crashing the host. IMPACT A...

6.5CVSS2.1AI score0.019EPSS
Exploits0
Xen Project
Xen Project
•added 2016/12/13 12:0 p.m.•46 views

x86 CMPXCHG8B emulation fails to ignore operand size override

ISSUE DESCRIPTION The x86 instruction CMPXCHG8B is supposed to ignore legacy operand size overrides; it only honors the REX.W override making it CMPXCHG16B. So, the operand size is always 8 or 16. When support for CMPXCHG16B emulation was added to the instruction emulator, this restriction on the...

3.3CVSS0.7AI score0.00421EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/10/11 12:0 p.m.•45 views

P2M pool freeing may take excessively long

ISSUE DESCRIPTION The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing. IMPACT A group of...

6.5CVSS0.6AI score0.00265EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2013/10/10 12:0 p.m.•45 views

possible null dereference when parsing vif ratelimiting info

ISSUE DESCRIPTION The libxlu library function xluvifparserate does not properly handle inputs which consist solely of the '@' character, leading to a NULL pointer dereference. IMPACT A toolstack which allows untrusted users to specify an arbitrary configuration for the VIF rate can be subjected t...

1.9CVSS2.3AI score0.00343EPSS
Exploits0
Xen Project
Xen Project
•added 2024/04/09 5:0 p.m.•44 views

x86: Native Branch History Injection

ISSUE DESCRIPTION In August 2022, researchers at VU Amsterdam disclosed Spectre-BHB. Spectre-BHB was discussed in XSA-398. At the time, the susceptibility of Xen to Spectre-BHB was uncertain so no specific action was taken in XSA-398. However, various changes were made thereafter in upstream Xen ...

4.7CVSS6.9AI score0.08555EPSS
Exploits0
Xen Project
Xen Project
•added 2023/11/14 12:0 p.m.•44 views

x86: BTC/SRSO fixes not fully effective

ISSUE DESCRIPTION The fixes for XSA-422 Branch Type Confusion and XSA-434 Speculative Return Stack Overflow are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown XPTI deliberately left interrupts enabl...

4.7CVSS7AI score0.0025EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2023/10/10 12:0 p.m.•44 views

Multiple vulnerabilities in libfsimage disk handling

ISSUE DESCRIPTION libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack root in a priviledged domain. At least one issue has been reported to the Xen...

8.8CVSS10AI score0.02196EPSS
Exploits1Affected Software1
Xen Project
Xen Project
•added 2023/09/19 12:0 p.m.•44 views

top-level shadow reference dropped too early for 64-bit PV guests

ISSUE DESCRIPTION For migration as well as to work around kernels unaware of L1TF see XSA-273, PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this...

7.8CVSS6.2AI score0.0023EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/11/01 12:0 p.m.•44 views

Xenstore: Guests can create arbitrary number of nodes via transactions

ISSUE DESCRIPTION In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been...

5.5CVSS1.6AI score0.00277EPSS
Exploits0
Xen Project
Xen Project
•added 2022/07/05 12:0 p.m.•44 views

Arm guests can cause Dom0 DoS via PV devices

ISSUE DESCRIPTION When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to caus...

4.7CVSS1.3AI score0.00309EPSS
Exploits0
Xen Project
Xen Project
•added 2021/11/23 12:0 p.m.•44 views

grant table v2 status pages may remain accessible after de-allocation (take two)

ISSUE DESCRIPTION Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched back from v2 to v1. The freeing of such...

7CVSS7.1AI score0.00305EPSS
Exploits0
Xen Project
Xen Project
•added 2020/09/22 12:0 p.m.•44 views

Missing memory barriers when accessing/allocating an event channel

ISSUE DESCRIPTION Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such sequence is missing appropriate memory barrier e.g smpmb to prevent both the compiler and CPU to re-order access. IMPACT A malicious guest may be able to cause a...

7.8CVSS1AI score0.00415EPSS
Exploits0
Xen Project
Xen Project
•added 2020/09/22 12:0 p.m.•44 views

lack of preemption in evtchn_reset() / evtchn_destroy()

ISSUE DESCRIPTION In particular the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these when resetting all event channels or when cleaning up after the guest may take extended periods of time. So far there was no arrangement for...

5.5CVSS2.7AI score0.00424EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/07/07 12:0 p.m.•44 views

Missing alignment check in VCPUOP_register_vcpu_info

ISSUE DESCRIPTION The hypercall VCPUOPregistervcpuinfo is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen address space so it can be directly accessed. On Arm, the region is accessed with instructions which require a specific alignment...

6.5CVSS1.7AI score0.00398EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/09/08 12:0 p.m.•44 views

use after free in FIFO event channel code

ISSUE DESCRIPTION When the EVTCHNOPinitcontrol operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations EVTCHNOPexpandarray or another EVTCHNOPinitcontrol, upon finding...

7.2CVSS1.8AI score0.00502EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/07/26 12:0 p.m.•44 views

x86: Missing SMAP whitelisting in 32-bit exception / event delivery

ISSUE DESCRIPTION Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exception...

6.2CVSS6.2AI score0.00639EPSS
Exploits0
Xen Project
Xen Project
•added 2023/03/21 12:0 p.m.•43 views

x86 shadow plus log-dirty mode use-after-free

ISSUE DESCRIPTION In environments where host assisted address translation is necessary but Hardware Assisted Paging HAP is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To...

7.8CVSS7.1AI score0.00268EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/07/26 12:0 p.m.•43 views

insufficient TLB flush for x86 PV guests in shadow mode

ISSUE DESCRIPTION For migration as well as to work around kernels unaware of L1TF see XSA-273, PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions...

8.8CVSS1.4AI score0.00289EPSS
Exploits0
Xen Project
Xen Project
•added 2021/11/23 12:0 p.m.•43 views

issues with partially successful P2M updates on x86

ISSUE DESCRIPTION x86 HVM and PVH guests may be started in populate-on-demand PoD mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specifie...

7.8CVSS8.1AI score0.00338EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/11/22 12:0 p.m.•43 views

x86 64-bit bit test instruction emulation broken

ISSUE DESCRIPTION The x86 instructions BT, BTC, BTR, and BTS, when used with a destination memory operand and a source register rather than an immediate operand, access a memory location offset from that specified by the memory operand as specified by the high bits of the register source. When Xe...

8.8CVSS0.9AI score0.00505EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2016/10/04 12:0 p.m.•43 views

CR0.TS and CR0.EM not always honored for x86 HVM guests

ISSUE DESCRIPTION Instructions touching FPU, MMX, or XMM registers are required to raise a Device Not Available Exception NM when either CR0.EM or CR0.TS are set. Their AVX or AVX-512 extensions would consider only CR0.TS. While during normal operation this is ensured by the hardware, if a guest...

6.3CVSS0.8AI score0.00303EPSS
Exploits0
Xen Project
Xen Project
•added 2013/06/20 12:0 p.m.•43 views

libxl allows guest write access to sensitive console related xenstore keys

ISSUE DESCRIPTION The libxenlight libxl toolstack library does not correctly set permissions on xenstore keys relating to paravirtualised and emulated serial console devices. This could allow a malicious guest administrator to change values in xenstore which the host later relies on being...

7.4CVSS0.9AI score0.00562EPSS
Exploits0
Xen Project
Xen Project
•added 2023/09/05 12:0 p.m.•42 views

arm32: The cache may not be properly cleaned/invalidated

ISSUE DESCRIPTION Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes such as the ones during scrubbing have reached memory before handing over the page to a guest. Unfortunately, the...

3.3CVSS6.9AI score0.00255EPSS
Exploits0
Xen Project
Xen Project
•added 2022/11/01 12:0 p.m.•42 views

Oxenstored 32->31 bit integer truncation issues

ISSUE DESCRIPTION Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates off the most significant bit, and then creates...

5.5CVSS1.4AI score0.0027EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/10/11 12:0 p.m.•42 views

Arm: unbounded memory consumption for 2nd-level page tables

ISSUE DESCRIPTION Certain actions require e.g. removing pages from a guest's P2M Physical-to-Machine mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation to replace a large mapping with individual smaller ones...

3.8CVSS0.2AI score0.00259EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2020/07/07 12:0 p.m.•42 views

Incorrect error handling in event channel port allocation

ISSUE DESCRIPTION The allocation of an event channel port may fail for multiple reasons: 1 Port is already in use 2 The memory allocation failed 3 The port we try to allocate is higher than what is supported by the ABI e.g 2L or FIFO used by the guest or the limit set by an administrator...

6.5CVSS0.1AI score0.00409EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/10/11 12:0 p.m.•41 views

XAPI open file limit DoS

ISSUE DESCRIPTION It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other trusted clients, and blocks XAPI from carrying out any tasks that require the opening of file descriptors...

5.3CVSS1.2AI score0.00877EPSS
Exploits0
Xen Project
Xen Project
•added 2024/12/17 12:0 p.m.•40 views

Xen hypercall page unsafe against speculative attacks

ISSUE DESCRIPTION Xen guests need to use different processor instructions to make explicit calls into the Xen hypervisor depending on guest type and/or CPU vendor. In order to hide those differences, the hypervisor can fill a hypercall page with the needed instruction sequences, allowing the gues...

5.5CVSS7AI score0.00304EPSS
Exploits0
Xen Project
Xen Project
•added 2024/04/09 5:0 p.m.•40 views

x86: Incorrect logic for BTC/SRSO mitigations

ISSUE DESCRIPTION Because of a logical error in XSA-407 Branch Type Confusion, the mitigation is not applied properly when it is intended to be used. XSA-434 Speculative Return Stack Overflow uses the same infrastructure, so is equally impacted. For more details, see:...

7.5CVSS7AI score0.17444EPSS
Exploits0
Xen Project
Xen Project
•added 2023/08/08 5:0 p.m.•40 views

Linux: buffer overrun in netback due to unusual packet

ISSUE DESCRIPTION The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split...

7.8CVSS7.3AI score0.00296EPSS
Exploits0
Xen Project
Xen Project
•added 2022/01/25 12:0 p.m.•40 views

arm: guest_physmap_remove_page not removing the p2m mappings

ISSUE DESCRIPTION The functions to remove one or more entries from a guest p2m pagetable on Arm p2mremovemapping, guestphysmapremovepage, and p2msetentry with mfn set to INVALIDMFN do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a vali...

7.8CVSS0.8AI score0.0034EPSS
Exploits0
Xen Project
Xen Project
•added 2021/10/05 6:43 p.m.•40 views

PCI devices with RMRRs not deassigned correctly

ISSUE DESCRIPTION Certain PCI devices in a system might be assigned Reserved Memory Regions specified via Reserved Memory Region Reporting, "RMRR". These are typically used for platform tasks such as legacy USB emulation. If such a device is passed through to a guest, then on guest shutdown the...

7.6CVSS1.5AI score0.00427EPSS
Exploits0
Xen Project
Xen Project
•added 2020/07/07 12:0 p.m.•40 views

non-atomic modification of live EPT PTE

ISSUE DESCRIPTION When mapping guest EPT nested paging tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially-written PTE to the hardware, which an attacker might be able ...

7.8CVSS0.4AI score0.00276EPSS
Exploits0
Xen Project
Xen Project
•added 2017/06/20 12:0 p.m.•40 views

x86: PKRU and BND* leakage between vCPU-s

ISSUE DESCRIPTION Memory Protection Extensions MPX and Protection Key PKU are features in newer processors, whose state is intended to be per-thread and context switched along with all other XSAVE state. Xen's vCPU context switch code would save and restore the state only if the guest had set the...

7.5CVSS8AI score0.01349EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2017/03/28 12:0 p.m.•40 views

xenstore denial of service via repeated update

ISSUE DESCRIPTION xenstored supports transactions, such that if writes which would invalidate assumptions of a transaction occur, the entire transaction fails. Typical response on a failed transaction is to simply retry the transaction until it succeeds. Unprivileged domains may issue writes to...

2.8AI score
Exploits0Affected Software1
Xen Project
Xen Project
•added 2022/11/01 12:0 p.m.•39 views

Xenstore: Guests can crash xenstored

ISSUE DESCRIPTION Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the...

8.8CVSS1.9AI score0.00272EPSS
Exploits0
Xen Project
Xen Project
•added 2022/01/25 12:0 p.m.•39 views

Insufficient cleanup of passed-through device IRQs

ISSUE DESCRIPTION The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the...

4.7CVSS1.1AI score0.00352EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/11/23 12:0 p.m.•38 views

guests may exceed their designated memory limit

ISSUE DESCRIPTION When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be th...

8.6CVSS8.2AI score0.0206EPSS
Exploits0Affected Software1
Xen Project
Xen Project
•added 2021/09/08 12:0 p.m.•38 views

Another race in XENMAPSPACE_grant_table handling

ISSUE DESCRIPTION Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches back from v2 to v1. Freeing such pages...

7.8CVSS0.5AI score0.00266EPSS
Exploits0Affected Software1
Total number of security vulnerabilities482