Insufficient cleanup of passed-through device IRQs

ISSUE DESCRIPTION The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the...

A PV guest could DoS Xen while unmapping a grant

ISSUE DESCRIPTION To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two...

arm: guest_physmap_remove_page not removing the p2m mappings

ISSUE DESCRIPTION The functions to remove one or more entries from a guest p2m pagetable on Arm p2mremovemapping, guestphysmapremovepage, and p2msetentry with mfn set to INVALIDMFN do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a vali...

frontends vulnerable to backends

ISSUE DESCRIPTION Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the...

Guest can force Linux netback driver to hog large amounts of kernel memory

ISSUE DESCRIPTION Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side ...

Rogue backends can cause DoS of guests via high frequency events

ISSUE DESCRIPTION Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the...

issues with partially successful P2M updates on x86

ISSUE DESCRIPTION x86 HVM and PVH guests may be started in populate-on-demand PoD mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specifie...

grant table v2 status pages may remain accessible after de-allocation (take two)

ISSUE DESCRIPTION Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched back from v2 to v1. The freeing of such...

guests may exceed their designated memory limit

ISSUE DESCRIPTION When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be th...

PoD operations on misaligned GFNs

ISSUE DESCRIPTION x86 HVM and PVH guests may be started in populate-on-demand PoD mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specifie...

certain VT-d IOMMUs may not work in shared page table mode

ISSUE DESCRIPTION For efficiency reasons, address translation control structures page tables may and, on suitable hardware, by default will be shared between CPUs, for second-level translation EPT, and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU ma...

PCI devices with RMRRs not deassigned correctly

ISSUE DESCRIPTION Certain PCI devices in a system might be assigned Reserved Memory Regions specified via Reserved Memory Region Reporting, "RMRR". These are typically used for platform tasks such as legacy USB emulation. If such a device is passed through to a guest, then on guest shutdown the...

Another race in XENMAPSPACE_grant_table handling

ISSUE DESCRIPTION Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches back from v2 to v1. Freeing such pages...

inadequate grant-v2 status frames array bounds check

ISSUE DESCRIPTION The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit gues...

grant table v2 status pages may remain accessible after de-allocation

ISSUE DESCRIPTION Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched back from v2 to v1. The freeing of such...

IOMMU page mapping issues on x86

ISSUE DESCRIPTION Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply ...

xen/arm: No memory limit for dom0less domUs

ISSUE DESCRIPTION The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured. IMPACT Malicious dom0less gues...

long running loops in grant table handling

ISSUE DESCRIPTION In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren't in use...

Guest triggered use-after-free in Linux xen-netback

ISSUE DESCRIPTION A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux...

x86: TSX Async Abort protections not restored after S3

ISSUE DESCRIPTION This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX the default and preferred option requires selecting a non-default setting in MSRTSXCTRL. This setti...

Speculative Code Store Bypass

ISSUE DESCRIPTION Modern superscalar processors may employ sophisticated decoding and caching of the instruction stream to improve performance. However, a consequence is that self-modifying code updates may not take effect instantly. Whatever the architectural guarantees, some CPUs have...

xen/arm: Boot modules are not scrubbed

ISSUE DESCRIPTION The bootloader will load boot modules e.g. kernel, initramfs... in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not leaked from the modules, Xen must "scrub" them before handing the page over to the allocator. Unfortunately, i...

inappropriate x86 IOMMU timeout detection / handling

ISSUE DESCRIPTION IOMMUs process commands issued to them in parallel with the operation of the CPUs issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the...

x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests

ISSUE DESCRIPTION 32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed, this area of the i386 architecture was rarely used, which is why Xen was able to use it to implement paravirtualisation, Xen's novel approach to virtualization. In AMD64, Xen had to use a different...

Linux: blkback driver may leak persistent grants

ISSUE DESCRIPTION The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup...

HVM soft-reset crashes toolstack

ISSUE DESCRIPTION libxl requires all data structures passed across its public interface to be initialized before use and disposed of afterwards by calling a specific set of functions. Many internal data structures also require this initialize / dispose discipline, but not all of them. When the...

Linux: special config may crash when trying to map foreign pages

ISSUE DESCRIPTION With CONFIGXENBALLOONMEMORYHOTPLUG disabled and CONFIGXENUNPOPULATEDALLOC enabled the Linux kernel will use guest physical addresses allocated via the ZONEDEVICE functionality for mapping foreign guest's pages. This will result in problems, as the p2m list will only cover the...

Linux: netback fails to honor grant mapping errors

ISSUE DESCRIPTION XSA-362 tried to address issues here, but in the case of the netback driver the changes were insufficient: It left the relevant function invocation with, effectively, no error handling at all. As a result, memory allocation failures there could still lead to frontend-induced...

missed flush in XSA-321 backport

ISSUE DESCRIPTION An oversight was made when backporting XSA-321, leading entries in the IOMMU not being properly updated under certain circumstances. IMPACT A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose...

Linux: grant mapping error handling issues

ISSUE DESCRIPTION Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the...

Linux: error handling issues in blkback's grant mapping

ISSUE DESCRIPTION To service requests, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent...

Linux: display frontend "be-alloc" mode is unsupported

ISSUE DESCRIPTION The backend allocation mode of Linux'es drmxenfront drivers was not meant to be a supported configuration, but this wasn't stated accordingly in its support status entry. IMPACT Use of the feature may have unknown effects. VULNERABLE SYSTEMS Linux versions from 4.18 onwards are...

arm: The cache may not be cleaned for newly allocated scrubbed pages

ISSUE DESCRIPTION On Arm, a guest is allowed to control whether memory access bypass the cache. This means that Xen needs to ensure that all writes such as the ones during scrubbing have reached memory before handing over the page to a guest. Unfortunately the operation to clean the cache happens...

Linux: backends treating grant mapping errors as bugs

ISSUE DESCRIPTION Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests, like out of memory conditions, it isn't correct to assume so. Memory allocations potentially causing such...

IRQ vector leak on x86

ISSUE DESCRIPTION An x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors used by the MSI-X entries that the guest might had enabled, a...

Xenstore: guests can disturb domain cleanup

ISSUE DESCRIPTION Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately this is done by just removing the guest from xenstored's internal management, resulting in th...

Xenstore: wrong path length check

ISSUE DESCRIPTION A guest may access xenstore paths via absolute paths containing a full pathname, or via a relative path, which implicitly includes /local/domain/$DOMID for their own domain id. Management tools must access paths in guests' namespaces, necessarily using absolute paths. oxenstored...

Xenstore: new domains inheriting existing node permissions

ISSUE DESCRIPTION Access rights of Xenstore nodes are per domid. Unfortunately, existing granted access rights are not removed when a domain is destroyed. This means that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the previous domains with the...

oxenstored memory leak in reset_watches

ISSUE DESCRIPTION When acting upon a guest XSRESETWATCHES request, not all tracking information is freed. IMPACT A guest can cause unbounded memory usage in oxenstored. This can lead to a system-wide DoS. VULNERABLE SYSTEMS All version of Xen since 4.6 are vulnerable. Only systems using the Ocaml...

Xenstore: guests can crash xenstored via watchs

ISSUE DESCRIPTION When a Xenstore watch fires, the xenstore client which registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry which triggered the watch, and the tag which was specified when registering the watch. Any communication with xenstored ...

infinite loop when cleaning up IRQ vectors

ISSUE DESCRIPTION When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met when first checked, the checking CPU m...

FIFO event channels control block related ordering

ISSUE DESCRIPTION Recording of the per-vCPU control block mapping maintained by Xen and that of pointers into the control block is reversed. The consumer assumes, seeing the former initialized, that the latter are also ready for use. IMPACT Malicious or buggy guest kernels can mount a Denial of...

Use after free triggered by block frontend in Linux blkback

ISSUE DESCRIPTION The Linux kernel PV block backend expects the kernel thread handler to reset ring-xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggle between the states connect and disconnect. As a consequence, the block backend may re-use ...

oxenstored: permissions not checked on root node

ISSUE DESCRIPTION In the Ocaml xenstored implementation, the internal representation of the tree has special cases for the root node, because this node has no parent. Unfortunately, permissions were not checked for certain operations on the root node. Unprivileged guests can get and modify...

oxenstored: node ownership can be changed by unprivileged clients

ISSUE DESCRIPTION Nodes in xenstore have an ownership. In oxenstored, a owner could give a node away. But node ownership has quota implications. Any guest can run another guest out of quota, or create an unbounded number of nodes owned by dom0, thus running xenstored out of memory IMPACT A...

undue recursion in x86 HVM context switch code

ISSUE DESCRIPTION When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled. If the device model were to signal Xen witho...

FIFO event channels control structure ordering

ISSUE DESCRIPTION A bounds check common to most operation time functions specific to FIFO event channels depends on the CPU observing consistent state. While the producer side uses appropriately ordered writes, the consumer side isn't protected against re-ordered reads, and may hence end up...

XAPI: guest-triggered excessive memory usage

ISSUE DESCRIPTION Certain xenstore keys provide feedback from the guest, and are therefore watched by toolstack. Specifically, keys are watched by xenopsd, and data are forward via RPC through message-switch to xapi. The watching logic in xenopsd sends one RPC update containing all data, any time...

Frontends can trigger OOM in Backends by update a watched path

ISSUE DESCRIPTION Some OSes such as Linux, FreeBSD, NetBSD are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbound, a guest may be able to trigger a OOM in the backend. IMPACT A malicious...

xenstore watch notifications lacking permission checks

ISSUE DESCRIPTION Neither xenstore implementation does any permissions checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified and deleted key. A guest administrator can also use the special...