stack corruption from XSA-346 change

ISSUE DESCRIPTION One of the two changes for XSA-346 introduced an on-stack array. The check for guarding against overrunning this array was off by one, allowing for corruption of the first stack slot immediately following this array. IMPACT A malicious or buggy HVM or PVH guest can cause Xen to...

Information leak via power sidechannel

ISSUE DESCRIPTION Researchers have demonstrated using software power/energy monitoring interfaces to create covert channels, and infer the operations/data used by other contexts within the system. Access to these interfaces should be restricted to privileged software, but it was found that Xen...

unsafe AMD IOMMU page table updates

ISSUE DESCRIPTION AMD IOMMU page table entries are updated in a step by step manner, without regard to them being potentially in use by the IOMMU. Therefore it was possible that the IOMMU would read and then use a half-updated entry. Furthermore, updates to Device Table entries lacked suitable...

undue deferral of IOMMU TLB flushes

ISSUE DESCRIPTION To efficiently change the physical to machine address mappings of a larger range of addresses for fully virtualized guests, Xen contains an optimization to coalesce per-page IOMMU TLB flushes into a single, wider flush after all adjustments have been made. While this is fine to ...

x86: Race condition in Xen mapping code

ISSUE DESCRIPTION The Xen code handling the updating of the hypervisor's own pagetables tries to use 2MiB and 1GiB superpages as much as possible to maximize TLB efficiency. Some of the operations for checking and coalescing superpages take non-negligible amount of time; to avoid potential lock...

x86 PV guest INVLPG-like flushes may leave stale TLB entries

ISSUE DESCRIPTION x86 PV guest kernels may use hypercalls with INVLPG-like behavior to invalidate TLB entries even after changes to non-leaf page tables. Such changes to non-leaf page tables will, however, also render stale possible TLB entries created by Xen's internal use of linear page tables ...

Race condition in Linux event handler may crash dom0

ISSUE DESCRIPTION The Linux kernel event channel handling code doesn't defend the handling of an event against the same event channel being removed in parallel. This can result in accesses to already freed memory areas or NULL pointer dereferences in the event handling code, leading to misbehavio...

Rogue guests can cause DoS of Dom0 via high frequency events

ISSUE DESCRIPTION The handling of Xen events in the Linux kernel runs with interrupts disabled in a loop until no further event is pending. Whenever an event has been accepted by the kernel, another event can come in via the same event channel. This can result in the event handling loop running f...

once valid event channels may not turn invalid

ISSUE DESCRIPTION Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determini...

x86 pv: Crash when handling guest access to MSR_MISC_ENABLE

ISSUE DESCRIPTION When a guest accesses certain Model Specific Registers, Xen first reads the value from hardware to use as the basis for auditing the guest access. For the MISCENABLE MSR, which is an Intel specific MSR, this MSR read is performed without error handling for a GP fault, which is t...

out of bounds event channels available to 32-bit x86 domains

ISSUE DESCRIPTION The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm either bitness ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared between guest and Xen...

PCI passthrough code reading back hardware registers

ISSUE DESCRIPTION Code paths in Xen's MSI handling have been identified which act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for device...

Missing unlock in XENMEM_acquire_resource error path

ISSUE DESCRIPTION The RCU Read, Copy, Update mechanism is a synchronisation primitive. A buggy error path in the XENMEMacquireresource exits without releasing an RCU reference, which is conceptually similar to forgetting to unlock a spinlock. IMPACT A buggy or malicious HVM stubdomain can cause a...

lack of preemption in evtchn_reset() / evtchn_destroy()

ISSUE DESCRIPTION In particular the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these when resetting all event channels or when cleaning up after the guest may take extended periods of time. So far there was no arrangement for...

race when migrating timers between x86 HVM vCPU-s

ISSUE DESCRIPTION When migrating timers of x86 HVM guests between its vCPU-s, the locking model used allows for a second vCPU of the same guest also operating on the timers to release a lock that it didn't acquire. IMPACT The most likely effect of the issue is a hang or crash of the hypervisor,...

races with evtchn_reset()

ISSUE DESCRIPTION Uses of EVTCHNOPreset potentially by a guest on itself or XENDOMCTLsoftreset by itself covered by XSA-77 can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. IMPACT In particular x86 PV guests may ...

x86 pv guest kernel DoS via SYSENTER

ISSUE DESCRIPTION The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a GP fault, and incorrectly delivers it twice to the guest. This causes the guest kernel to observe a kernel-privilege GP fault typically fatal rather than ...

Missing memory barriers when accessing/allocating an event channel

ISSUE DESCRIPTION Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such sequence is missing appropriate memory barrier e.g smpmb to prevent both the compiler and CPU to re-order access. IMPACT A malicious guest may be able to cause a...

QEMU: usb: out-of-bounds r/w access issue

ISSUE DESCRIPTION An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when 'USBDevice-setuplen' exceeds the USBDevice-databuf4096, in dotokenin,out routines. IMPACT A guest user may use this flaw to crash the QEM...

Linux ioperm bitmap context switching issues

ISSUE DESCRIPTION Linux 5.5 overhauled the internal state handling for the iopl and ioperm system calls. Unfortunately, one aspect on context switch wasn't wired up correctly for the Xen PVOps case. IMPACT IO port permissions don't get rescinded when context switching to an unprivileged task...

non-atomic modification of live EPT PTE

ISSUE DESCRIPTION When mapping guest EPT nested paging tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially-written PTE to the hardware, which an attacker might be able ...

inverted code paths in x86 dirty VRAM tracking

ISSUE DESCRIPTION An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. IMPACT A malicious or buggy HVM guest may cause the hypervisor to crash, resulting in Denial of Service DoS...

Incorrect error handling in event channel port allocation

ISSUE DESCRIPTION The allocation of an event channel port may fail for multiple reasons: 1 Port is already in use 2 The memory allocation failed 3 The port we try to allocate is higher than what is supported by the ABI e.g 2L or FIFO used by the guest or the limit set by an administrator...

Missing alignment check in VCPUOP_register_vcpu_info

ISSUE DESCRIPTION The hypercall VCPUOPregistervcpuinfo is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen address space so it can be directly accessed. On Arm, the region is accessed with instructions which require a specific alignment...

insufficient cache write-back under VT-d

ISSUE DESCRIPTION When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs CPU cached also needs writing back to memory after changes were made. Such writing back of cached dat...

Special Register Buffer speculative side channel

ISSUE DESCRIPTION This issue is related to the MDS and TAA vulnerabilities. Please see https://xenbits.xen.org/xsa/advisory-297.html MDS and https://xenbits.xen.org/xsa/advisory-305.html TAA for details. Certain processor operations microarchitecturally need to read data from outside the physical...

Bad continuation handling in GNTTABOP_copy

ISSUE DESCRIPTION Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 / XSA-226 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular the status fields...

Bad error path in GNTTABOP_map_grant

ISSUE DESCRIPTION Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly...

Missing memory barriers in read-write unlock paths

ISSUE DESCRIPTION The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. ...

multiple xenoprof issues

ISSUE DESCRIPTION Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed. This is CVE-2020-11740. Furthermore, for guests for which "active" profiling was enabled by the administrator, the xenoprof code use...

Load Value Injection (LVI) speculative side channel

ISSUE DESCRIPTION This is very closely related to the Microarchitectural Data Sampling vulnerabilities from May 2019. Please see https://xenbits.xen.org/xsa/advisory-297.html for details about MDS. A new way of using the micro-architectural details behind MDS has been identified. Instead of simpl...

arm: a CPU may speculate past the ERET instruction

ISSUE DESCRIPTION Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by lower privilege level i.e guest kernel/userspace at the point of the ERET, this could...

find_next_bit() issues

ISSUE DESCRIPTION In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: - On 32-bit Arm accesses to bitmaps with bit a count which is a multiple of 32, an out of bounds access...

Further issues with restartable PV type change operations

ISSUE DESCRIPTION XSA-299 addressed several critical issues in restartable PV type change operations. Despite extensive testing and auditing, some corner cases were missed. IMPACT A malicious PV guest administrator may be able to escalate their privilege to that of the host. VULNERABLE SYSTEMS Al...

Linear pagetable use / entry miscounts

ISSUE DESCRIPTION "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level i.e., L...

VMX: VMentry failure with debug exceptions and blocked states

ISSUE DESCRIPTION Please see XSA-260 for background on the MovSS shadow: http://xenbits.xen.org/xsa/advisory-260.html Please see XSA-156 for background on the need for DB interception: http://xenbits.xen.org/xsa/advisory-156.html The VMX VMEntry checks does not like the exact combination of state...

Bugs in dynamic height handling for AMD IOMMU pagetables

ISSUE DESCRIPTION When running on AMD systems with an IOMMU, Xen attempted to dynamically adapt the number of levels of pagetables the pagetable height in the IOMMU according to the guest's address space size. The code to select and update the height had several bugs. Notably, the update was done...

Device quarantine for alternate pci assignment methods

ISSUE DESCRIPTION XSA-302 relies on the use of libxl's "assignable-add" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of...

TSX Asynchronous Abort speculative side channel

ISSUE DESCRIPTION This is very closely related to the Microarchitectural Data Sampling vulnerabilities from May 2019. Please see https://xenbits.xen.org/xsa/advisory-297.html for details about MDS. A new way to sample data from microarchitectural structures has been identified. A TSX Asynchronous...

x86: Machine Check Error on Page Size Change DoS

ISSUE DESCRIPTION An erratum exists across some CPUs whereby an instruction fetch may cause a machine check error if the pagetables have been updated in a specific manner without invalidating the TLB. The x86 architecture explicitly permits modification of the pagetables without TLB invalidation,...

missing descriptor table limit checking in x86 PV emulation

ISSUE DESCRIPTION When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through...

add-to-physmap can be abused to DoS Arm hosts

ISSUE DESCRIPTION p2m-maxmappedgfn is used by the functions p2mresolvetranslationfault and p2mgetentry to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUGON. The function p2mgetrootpointer will ignore...

ARM: Interrupts are unconditionally unmasked in exception handlers

ISSUE DESCRIPTION When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. IMPACT A malicious guest...

VCPUOP_initialise DoS

ISSUE DESCRIPTION hypercallcreatecontinuation is a variadic function which uses a printf-like format string to interpret its parameters. Error handling for a bad format character was done using BUG, which crashes Xen. One path, via the VCPUOPinitialise hypercall, has a bad format character. The B...

passed through PCI devices may corrupt host memory after deassignment

ISSUE DESCRIPTION When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the...

Issues with restartable PV type change operations

ISSUE DESCRIPTION To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be "promoted" before being used...

Linux: No grant table and foreign mapping limits

ISSUE DESCRIPTION Virtual device backends and device models running in domain 0, or other backend driver domains, need to be able to map guest memory either via grant mappings, or via the foreign mapping interface. Inside Xen, mapped grants are tracked by the maptrack structure. The size of this...

Unlimited Arm Atomics Operations

ISSUE DESCRIPTION Software targeting pre-Armv8.1-A hardware, Xen included, commonly implements atomics using Load/Store exclusive instructions in a loop that will terminate once the store succeeded. As per the Armv8-A Architecture Reference Manual ARM DDI0487D.a, paragraph 2.9.5 "Load-Exclusive a...

Microarchitectural Data Sampling speculative side channel

ISSUE DESCRIPTION Microarchitectural Data Sampling refers to a group of speculative sidechannels vulnerabilities. They consist of: CVE-2018-12126 - MSBDS - Microarchitectural Store Buffer Data Sampling CVE-2018-12127 - MLPDS - Microarchitectural Load Port Data Sampling CVE-2018-12130 - MFBDS -...

x86/PV: page type reference counting issue with failed IOMMU update

ISSUE DESCRIPTION When an x86 PV domain has a passed-through PCI device assigned, IOMMU mappings may need to be updated when the type of a particular page changes. Such an IOMMU operation may fail. In the event of failure, while at present the affected guest would be forcibly crashed, the already...