race with pass-through device hotplug

ISSUE DESCRIPTION When adding a passed-through PCI device to a domain after it was already started, IOMMU page tables may need constructing on the fly. For PV guests the decision whether a page ought to have a mapping is based on whether the page is writable, to prevent IOMMU access to things lik...

x86: steal_page violates page_struct access discipline

ISSUE DESCRIPTION Xen's reference counting rules were designed to allow pages to change owner and state without requiring a global lock. Each page has a page structure, and a very specific set of access disciplines must be observed to ensure that pages are freed properly, and that no writable...

grant table transfer issues on large hosts

ISSUE DESCRIPTION When the code processing grant table transfer requests finds a page with an address too large to be represented in the interface with the guest, it allocates a replacement page and copies page contents. However, the code doing so fails to set the newly allocated page's accountin...

x86: PV kernel context switch corruption

ISSUE DESCRIPTION On hardware supporting the fsgsbase feature, 64bit PV guests can set and clear the applicable control bit in its virtualised %cr4, but the feature remains fully active in hardware. Therefore, the associated instructions are actually usable. Linux, which does not currently suppor...

x86: insufficient TLB flushing when using PCID

ISSUE DESCRIPTION Use of Process Context Identifiers PCID was introduced into Xen in order to improve performance after XSA-254 and in particular its Meltdown sub-issue. This enablement implied changes to the TLB flushing logic. The particular case of context switch to a vCPU of a PCID-enabled...

missing preemption in x86 PV page table unvalidation

ISSUE DESCRIPTION XSA-273 changes required, among other things, making any PTE updates restartable. The changes making PTE updates restartable assumed that L2 pagetables would always be promoted preemptibly; but this turns out not to be the case when using the 'linear pagetable' feature; the resu...

x86: Inconsistent PV IOMMU discipline

ISSUE DESCRIPTION In order for a PV domain to set up DMA from a passed-through device to one of its pages, the page must be mapped in the IOMMU. On the other hand, before a PV page may be used as a "special" page type such as a pagetable or descriptor table, it must not be writable in the IOMMU...

x86 shadow: Insufficient TLB flushing when using PCID

ISSUE DESCRIPTION Use of Process Context Identifiers PCID was introduced into Xen in order to improve performance after XSA-254 and in particular its Meltdown sub-issue. This enablement implied changes to the TLB flushing logic. One aspect which was overlooked is the safety of switching between...

Withdrawn Xen Security Advisory number

DESCRIPTION XSA-283 stated: VT-d: Incorrect accesses into the Interrupt Remapping table A VT-d IOMMU has several tables in main RAM, which are configured by the driver when it starts. The tables are required to be aligned on a 4k boundary, and the control registers in the IOMMU which point to the...

Cache-load gadgets exploitable with L1TF

ISSUE DESCRIPTION Previously reported vulnerabilities CVE-2017-5753 / XSA-254 Spectre V1 and CVE-2018-3646 / XSA-273 L1TF can, when combined, be leveraged to more easily gather leaked information. A Spectre v1 gadget is a speculation sequence which starts with a conditional branch, contains a...

Fix for XSA-240 conflicts with shadow paging

ISSUE DESCRIPTION The fix for XSA-240 introduced a new field into the control structure associated with each page of RAM. This field was added to a union, another member of which is used when Xen uses shadow paging for the guest. During migration, or with the L1TF XSA-273 mitigation for PV guests...

x86: DoS from attempting to use INVPCID with a non-canonical addresses

ISSUE DESCRIPTION The INVPCID instruction raises GP0 if an attempt is made to invalidate a non-canonical address. Older flushing mechanisms such as INVLPG tolerate this without error, and perform no action. There is one guest accessible path in Xen where a non-canonical address was passed into th...

x86: incorrect error handling for guest p2m page removals

ISSUE DESCRIPTION The internal function querying a domain's p2m table grabs the p2m lock by default, so that the answer to the query remains true until the caller can act on that information; it is up to the caller then to release the lock. Unfortunately, certain failure paths don't release the...

resource accounting issues in x86 IOREQ server handling

ISSUE DESCRIPTION Allocation of pages used to communicate with external emulators did not follow certain principles that are required for proper life cycle management of guest exposed pages. IMPACT A compromised DM stubdomain may cause Xen to crash, resulting in a DoS Denial of Service affecting...

insufficient TLB flushing / improper large page mappings with AMD IOMMUs

ISSUE DESCRIPTION In order to be certain that no undue access to memory is possible anymore after IOMMU mappings of this memory have been removed, Translation Lookaside Buffers TLBs need to be flushed after most changes to such mappings. Xen bypassed certain IOMMU flushes on AMD x86 hardware...

guest use of HLE constructs may lock up host

ISSUE DESCRIPTION Various Intel CPU models have an erratum listed under the title "Processor May Hang When Executing Code In an HLE Transaction". It describes a potential hang when using instructions with the XACQUIRE prefix on the host physical memory range covering the first 4 MiB starting at t...

x86: Nested VT-x usable even when disabled

ISSUE DESCRIPTION When running HVM guests, virtual extensions are enabled in hardware because Xen is using them. As a result, a guest can blindly execute the virtualisation instructions, and will exit to Xen for processing. In the case that the guest hasn't followed the correct virtual...

L1 Terminal Fault speculative side channel

ISSUE DESCRIPTION In x86 nomenclature, a Terminal Fault is a pagetable walk which aborts due to the page being not present e.g. paged out to disk, or because of reserved bits being set. Architecturally, such a memory access will result in a page fault exception, but some processors will...

XAPI HTTP directory traversal

ISSUE DESCRIPTION XAPI has an unauthenticated HTTP endpoint update/ which exports the contents of /var/update for other hosts to use. However, the resolution of . and .. in paths is performed before url unquoting is performed. This allows an attacker to traverse out of the web root. IMPACT An...

x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS

ISSUE DESCRIPTION The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must...

Linux netback driver OOB access in hash handling

ISSUE DESCRIPTION Linux's netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation was missing or flawed. IMPACT A malicious or buggy frontend may cause the usually privileged backend to make o...

oxenstored does not apply quota-maxentity

ISSUE DESCRIPTION The logic in oxenstored for handling writes depended on the order of evaluation of expressions making up a tuple. As indicated in section 7.7.3 "Operations on data structures" of the OCaml manual: http://caml.inria.fr/pub/docs/manual-ocaml/expr.html the order of evaluation of...

Use of v2 grant tables may cause crash on ARM

ISSUE DESCRIPTION ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG checks. IMPACT An unprivilege...

Linux: Uninitialized state in x86 PV failsafe callback path

ISSUE DESCRIPTION Linux has a failsafe callback, invoked by Xen under certain conditions. Normally in this failsafe callback, errorentry is paired with errorexit; and errorentry uses %ebx to communicate to errorexit whether to use the user or kernel return path. Unfortunately, on 64-bit PV Xen on...

preemption checks bypassed in x86 PV MM handling

ISSUE DESCRIPTION Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table...

x86: #DB exception safety check can be triggered by a guest

ISSUE DESCRIPTION One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. IMPACT A malicious PV guest can crash Xen, leading to a Denial of...

libxl fails to honour readonly flag on HVM emulated SCSI disks

ISSUE DESCRIPTION libxl fails to pass the readonly flag to qemu when setting up a SCSI disk, due to what was probably an erroneous merge conflict resolution. IMPACT Malicious guest administrators or in some situations users may be able to write to supposedly read-only disk images. VULNERABLE...

Speculative register leakage from lazy FPU context switching

ISSUE DESCRIPTION x86 has a hardware mechanism for lazy FPU context switching. On a task switch, %cr0.ts Task Switched gets set, and the next instruction to touch floating point state raises an NM No Math, later known as Device Not Available exception. Traditionally, FPU state has been large in...

Speculative Store Bypass

ISSUE DESCRIPTION Contemporary high performance processors may use a technique commonly known as Memory Disambiguation, whereby speculative execution may proceed past unresolved stores. This opens a speculative sidechannel in which loads from an address which have had a recent store can observe a...

x86 vHPET interrupt injection errors

ISSUE DESCRIPTION The High Precision Event Timer HPET can be configured to deliver interrupts in one of three different modes - through legacy interrupts; through the IO-APIC; or optionally via a method similar to PCI MSI. The last mode is optional and not implemented by Xen. However, of the firs...

qemu may drive Xen into unbounded loop

ISSUE DESCRIPTION When Xen sends requests to a device model, the next expected action inside Xen is tracked using a state field. The requests themselves are placed in a memory page shared with the device model, so that the device model can communicate to Xen its progress on the request. The state...

x86: mishandling of debug exceptions

ISSUE DESCRIPTION When switching stacks, it is critical to have a matching stack segment and stack pointer. To allow an atomic update from what would otherwise be two adjacent instructions, an update which changes the stack segment either a mov or pop instruction with %ss encoded as the destinati...

x86: PV guest may crash Xen with XPTI

ISSUE DESCRIPTION The workaround for the Meltdown vulnerability XSA-254 failed to deal with an error code path connecting the INT 80 handling with general exception handling. This results in an unconditional write attempt of the value zero to an address near 2^64, in cases where a PV guest has no...

Information leak via crafted user-supplied CDROM

ISSUE DESCRIPTION QEMU handles many different file formats for virtual disks e.g., raw, qcow2, vhd, &c. Some of these formats are "snapshots" that specify "patches" to an alternate disk image, whose filename is included in the snapshot file. When qemu is given a disk but the type is not specified...

x86 PVH guest without LAPIC may DoS the host

ISSUE DESCRIPTION So far, x86 PVH guests can be configured with or without Local APICs. Configurations with Local APICs are identical to x86 HVM guests, and will use as much hardware acceleration support as possible. Configurations without Local APICs try to turn off all hardware acceleration, an...

grant table v2 -> v1 transition may crash Xen

ISSUE DESCRIPTION Grant tables come in two flavors versions, and domains are permitted to freely change between them subject to certain constraints. For the guest to use the facility, both the "normal" shared pages applicable to v1 and v2 and the "status" pages applicable to v2 only need to be...

DoS via non-preemptable L3/L4 pagetable freeing

ISSUE DESCRIPTION Guests have the ability to request removal of memory from themselves. This operation is intended to be requested for normal read/write pages, but is also permitted to be used on other types of pages. So far this in particular included pages pinned to their current type, with the...

x86: memory leak with MSR emulation

ISSUE DESCRIPTION In Xen 4.10, new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. Unfortunately, one tracking structure isn't freed when a vcpu is destroyed. IMPACT A memory allocation of 8 bytes is leaked each time a vcpu is destroyed. A malicious...

Information leak via side effects of speculative execution

ISSUE DESCRIPTION Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of...

improper x86 shadow mode refcount error handling

ISSUE DESCRIPTION Pages being used to run x86 guests in shadow mode are reference counted to track their uses. When another reference cannot be acquired, the corresponding page table entry must not be inserted. Due to incorrect error handling, this constraint could be violated. IMPACT A malicious...

improper bug check in x86 log-dirty handling

ISSUE DESCRIPTION Memory sharing, available to x86 HVM guests only, uses a special value in the global machine to physical address translation table M2P. PV guests have full control over M2P entries corresponding to pages they own. A bug check specifically, an assertion that an M2P entry is not t...

x86 PV guests may gain access to internally used pages

ISSUE DESCRIPTION Memory management for PV guests builds on page ownership and page attributes. A domain can always map, at least r/o, pages of which it is the owner. Certain fields in the control structure of a page are used for different purposes in the main PV memory management code and in cod...

broken x86 shadow mode refcount overflow check

ISSUE DESCRIPTION Pages being used to run x86 guests in shadow mode are reference counted to track their uses. Unfortunately the overflow check when trying to obtain a new reference used a mask one bit wider than the reference count actually is, rendering the entire check ineffective. IMPACT A...

x86: infinite loop due to missing PoD error checking

ISSUE DESCRIPTION Failure to recognize errors being returned from low level functions in Populate on Demand PoD code may result in higher level code entering an infinite loop. IMPACT A malicious HVM guest can cause one pcpu to permanently hang. This normally cascades into the whole system freezin...

Missing p2m error checking in PoD code

ISSUE DESCRIPTION Certain actions require modification of entries in a guest's P2M Physical-to-Machine table. When large pages are in use for this table, such an operation may incur a memory allocation to replace a large mapping with individual smaller ones. If this allocation fails, the...

pin count / page reference race in grant table code

ISSUE DESCRIPTION Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns...

page type reference leak on x86

ISSUE DESCRIPTION The page type system of Xen requires cleanup when the last reference for a given page is being dropped. In order to exclude simultaneous updates to a given page by multiple parties, pages which are updated are locked beforehand. This locking includes temporarily increasing the...

DMOP map/unmap missing argument checks

ISSUE DESCRIPTION DMOPs which were a subgroup of HVMOPs in older releases allow guests to control and drive other guests. The I/O request server page mapping interface uses range sets to represent I/O resources the emulation of which is provided by a given I/O request server. The internals of the...

x86: Incorrect handling of self-linear shadow mappings with translated guests

ISSUE DESCRIPTION The shadow pagetable code uses linear mappings to inspect and modify the shadow pagetables. A linear mapping which points back to itself is known as self-linear. For translated guests, the shadow linear mappings being in a separate address space are not intended to be self-linea...

Unlimited recursion in linear pagetable de-typing

ISSUE DESCRIPTION x86 PV guests are permitted to set up certain forms of what is often called "linear page tables", where pagetables contain references to other pagetables at the same level or higher. Certain restrictions apply in order to fit into Xen's page type handling system. An important...