qemu (e1000 device driver): Buffer overflow when processing large packets

SUMMARY AND SOURCES OF INFORMATION An issue in qemu has been disclosed which we believe affects some users of Xen. The Qemu project has not itself issued an advisory. More information may be available in the advisories published by the distros: https://bugzilla.redhat.com/showbug.cgi?id=889301...

VT-d interrupt remapping source validation flaw

ISSUE DESCRIPTION When passing a device which is behind a legacy PCI Bridge through to a guest Xen incorrectly configures the VT-d hardware. This could allow incorrect interrupts to be injected to other guests which also have passthrough devices. In a typical Xen system many devices are owned by...

Hypervisor crash due to incorrect ASSERT (debug build only)

ISSUE DESCRIPTION A change to an internal interface within the hypervisor invalidated an ASSERT in a caller of that API. This code path is exposed to PV guests via a hypercall allowing administrators of PV guests to crash the hypervisor if it is built with debugging enabled. IMPACT Malicious...

several hypercalls do not validate input GFNs

ISSUE DESCRIPTION The function getpagefromgfn does not validate its input GFN. An invalid GFN passed to a hypercall which uses this function will cause the hypervisor to read off the end of the frame table and potentially crash. IMPACT A malicious guest administrator of a PV guest can cause Xen t...

several HVM operations do not validate the range of their inputs

ISSUE DESCRIPTION Several HVM control operations do not check the size of their inputs and can tie up a physical CPU for extended periods of time. In addition dirty video RAM tracking involves clearing the bitmap provided by the domain controlling the guest e.g. dom0 or a stubdom. If the size of...

XENMEM_exchange may overwrite hypervisor memory

ISSUE DESCRIPTION The handler for XENMEMexchange accesses guest memory without range checking the guest provided addresses, thus allowing these accesses to include the hypervisor reserved range. IMPACT A malicious guest administrator can cause Xen to crash. If the out of address space bounds acce...

HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak

ISSUE DESCRIPTION The HVMOPsetmemaccess operation handler uses an input as an array index before range checking it. IMPACT A malicious guest administrator can cause Xen to crash. If the out of array bounds access does not crash, the arbitrary value read will be used if the caller reads back the...

Grant table version switch list corruption vulnerability

ISSUE DESCRIPTION Downgrading the grant table version of a guest involves freeing its status pages. This freeing was incomplete - the pages are freed back to the allocator, but not removed from the domain's tracking list. This would cause list corruption, eventually leading to a hypervisor crash...

Broken error handling in guest_physmap_mark_populate_on_demand()

ISSUE DESCRIPTION guestphysmapmarkpopulateondemand, before carrying out its actual operation, checks that the subject GFNs are not in use. If that check fails, the code prints a message and bypasses the gfnunlock matching the gfnlock carried out before entering the loop. Further, the function is...

Several memory hypercall operations allow invalid extent order values

ISSUE DESCRIPTION Allowing arbitrary extentorder input values for XENMEMdecreasereservation, XENMEMpopulatephysmap, and XENMEMexchange can cause arbitrarily long time being spent in loops without allowing vital other code to get a chance to execute. This may also cause inconsistent state resultin...

pirq range check DoS vulnerability

ISSUE DESCRIPTION domainpirqtoemuirq uses the guest provided pirq value before range checking it, and physdevunmappirq uses domainpirqtoemuirq without checking the pirq value either. Invalid pirq values can cause Xen to read out of array bounds, usually resulting in a fatal page fault. IMPACT A...

Grant table hypercall infinite loop DoS vulnerability

ISSUE DESCRIPTION Due to inappropriate duplicate use of the same loop control variable, passing bad arguments to GNTTABOPgetstatusframes can cause an infinite loop in the compat hypercall handler. IMPACT A malicious guest administrator can trigger the bug. If the Xen watchdog is enabled, the whol...

Timer overflow DoS vulnerability

ISSUE DESCRIPTION A guest which sets a VCPU with an inappropriate deadline can cause an infinite loop in Xen, blocking the affected physical CPU indefinitely. IMPACT A malicious guest administrator can trigger the bug. If the Xen watchdog is enabled, the whole system will crash. Otherwise the gue...

Memory mapping failure DoS vulnerability

ISSUE DESCRIPTION When setp2mentry fails, Xen's internal data structures the p2m and m2p tables can get out of sync. This failure can be triggered by unusual guest behaviour exhausting the memory reserved for the p2m table. If it happens, subsequent guest-invoked memory operations can cause Xen t...

Xen domain builder Out-of-memory due to malicious kernel/ramdisk

ISSUE DESCRIPTION The Xen PV domain builder contained no validation of the size of the supplied kernel or ramdisk either before or after decompression. This could cause the toolstack to consume all available RAM in the domain running the domain builder. CVE-2012-4544 Additionally, under similar...

Unhooking empty PAE entries DoS vulnerability

ISSUE DESCRIPTION The HVMOPpagetabledying hypercall does not correctly check the caller's pagetable state, leading to a hypervisor crash. IMPACT An HVM guest running on shadow pagetables that is, not HAP can cause the hypervisor to crash. VULNERABLE SYSTEMS All Xen versions from 4.0 onwards are...

guest administrator can access qemu monitor console

ISSUE DESCRIPTION A guest administrator who is granted access to the graphical console of a Xen guest can access the qemu monitor. The monitor can be used to access host resources. IMPACT A malicious guest administrator can access host resources perhaps belonging to other guests or the underlying...

grant table entry swaps have inadequate bounds checking

ISSUE DESCRIPTION The grant table hypercall's GNTTABOPswapgrantref sub-operation does not perform adequate checks on the input grant references. IMPACT A malicious guest kernel or administrator can crash the host. It may be possible for an attacker to swap a valid grant reference, which they...

PHYSDEVOP_map_pirq index vulnerability

ISSUE DESCRIPTION PHYSDEVOPmappirq with MAPPIRQTYPEGSI does not range check map-index. IMPACT A malicious HVM guest kernel can crash the host. It might also be able to read hypervisor or guest memory. VULNERABLE SYSTEMS All Xen systems running HVM guests. PV guests are not vulnerable. The...

Qemu VT100 emulation vulnerability

ISSUE DESCRIPTION The device model used by fully virtualised HVM domains, qemu, does not properly handle escape VT100 sequences when emulating certain devices with a virtual console backend. IMPACT An attacker who has sufficient privilege to access a vulnerable device within a guest can overwrite...

multiple TMEM hypercall vulnerabilities

ISSUE DESCRIPTION Several sub-operations of the Transcendent Memory TMEM hypercall either do not correctly validate their inputs, do not correctly validate the privilege of the calling guest, or have other security-relevant bugs. A full list of the vulnerabilities in the TMEM system is not...

XENMEM_populate_physmap DoS vulnerability

ISSUE DESCRIPTION XENMEMpopulatephysmap can be called with invalid flags. By calling it with MEMFpopulateondemand flag set, a BUG can be triggered if a translating paging mode is not being used. IMPACT A malicious guest kernel can crash the host. VULNERABLE SYSTEMS All Xen systems running PV...

hypercall physdev_get_free_pirq vulnerability

ISSUE DESCRIPTION PHYSDEVOPgetfreepirq does not check that its call to getfreepirq succeeded, and if it fails will use the error code as an array index. IMPACT A malicious guest might be able to cause the host to crash, leading to a DoS, depending on the exact memory layout. Privilege escalation ...

hypercall set_debugreg vulnerability

ISSUE DESCRIPTION setdebugreg allows writes to reserved bits of the DR7 debug control register on x86-64. IMPACT A malicious guest can cause the host to crash, leading to a DoS. If the vulnerable hypervisor is run on future hardware, the impact of the vulnerability might be widened depending on t...

HVM guest destroy p2m teardown host DoS vulnerability

ISSUE DESCRIPTION An HVM guest is able to manipulate its physical address space such that tearing down the guest takes an extended period amount of time searching for shared pages. This causes the domain 0 VCPU which tears down the domain to be blocked in the destroy hypercall. This causes that...

HVM guest user mode MMIO emulation DoS vulnerability

ISSUE DESCRIPTION Internal data of the emulator for MMIO operations may, under certain rare conditions, at the end of one emulation cycle be left in a state affecting a subsequent emulation such that this second emulation would fail, causing an exception to be reported to the guest kernel where...

qemu-dm Local Privilege Escalation Vulnerability

ISSUE DESCRIPTION Heap-based buffer overflow in the processtxdesc function in the e1000 emulation allows the guest to cause a denial of service QEMU crash and possibly execute arbitrary code via crafted legacy mode packets. Upstream qemu has already released an advisory hence there is no embargo...

Xen <= 3.3 DoS due to incorrect virtual address validation

ISSUE DESCRIPTION The x8664 addrok macro intends to ensure that the checked address is either in the positive half of the 48-bit virtual address space, or above the Xen-reserved area. However, the current shift count is off-by-one, allowing full access to the "negative half" too, via certain...

Xen DoS using IOMMU faults from PCI-passthrough guest

ISSUE DESCRIPTION A VM that controls a PCIE device directly can cause it to issue DMA requests to invalid addresses. Although these requests are denied by the IOMMU, the hypervisor needs to handle the interrupt and clear the error from the IOMMU, and this can be used to live-lock a CPU and...

VT-d (PCI passthrough) MSI trap injection

ISSUE DESCRIPTION Intel VT-d chipsets without interrupt remapping do not prevent a guest which owns a PCI device from using DMA to generate MSI interrupts by writing to the interrupt injection registers. This can be exploited to inject traps and gain control of the host. VULNERABLE SYSTEMS You ar...

paravirtualised kernel image validation

ISSUE DESCRIPTION 1. Problems ----------- The functions which interpret the kernel image supplied for a paravirtualised guest, and decompress it into memory when booting the domain, are incautious. Specifically: i Integer overflow in the decompression loop memory allocator might result in...

Host crash due to failure to correctly validate PV kernel execution state

ISSUE DESCRIPTION Cannot specify user mode execution without specifying user-mode pagetables. Failure to validate this allows a malicious or buggy 64 bit PV guest to crash the host. nb: predates vulnerability handling process and therefore no formal announcement...