x86: Incorrect handling of IST settings during CPU hotplug

ISSUE DESCRIPTION The x86-64 architecture allows interrupts to be run on distinct stacks. The choice of stack is encoded in a field of the corresponding interrupt descriptor in the Interrupt Descriptor Table IDT. That field selects an entry from the active Task State Segment TSS. Since, on AMD...

Stale TLB entry due to page type release race

ISSUE DESCRIPTION x86 PV guests effect TLB flushes by way of a hypercall. Xen tries to reduce the number of TLB flushes by delaying them as much as possible. When the last type reference of a page is dropped, the need for a TLB flush before the page is re-used is recorded. If a guest TLB flush...

hypervisor stack leak in x86 I/O intercept code

ISSUE DESCRIPTION Intercepted I/O operations may deal with less than a full machine word's worth of data. While read paths had been the subject of earlier XSAs and hence have been fixed, at least one write path was found where the data stored into an internal structure could contain bits from an...

multiple MSI mapping issues on x86

ISSUE DESCRIPTION Multiple issues exist with the setup of PCI MSI interrupts: - unprivileged guests were permitted access to devices not owned by them, in particular allowing them to disable MSI or MSI-X on any device - HVM guests can trigger a codepath intended only for PV guests - some failure...

ARM: Some memory not scrubbed at boot

ISSUE DESCRIPTION Data can remain readable in DRAM across soft and even hard reboots. To ensure that sensitive data is not leaked from one domain to another after a reboot, Xen must "scrub" all memory on boot write it with zeroes. Unfortunately, it was discovered that when memory was in disjoint...

Missing check for grant table

ISSUE DESCRIPTION The function gnttabcacheflush handles GNTTABOPcacheflush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not, the owner's grant table is checked to see if a grant mapping to the calling domain exists for...

Missing NUMA node parameter verification

ISSUE DESCRIPTION The function allocheappages allows callers to specify the first NUMA node that should be used for allocations through the memflags parameter; the node is extracted using the MEMFgetnode macro. While the function checks to see if the special constant NUMANONODE is specified, it...

insufficient grant unmapping checks for x86 PV guests

ISSUE DESCRIPTION When removing or replacing a grant mapping, the x86 PV specific path needs to make sure page table entries remain in sync with other accounting done. Although the identity of the page frame was validated correctly, neither the presence of the mapping nor page writability were...

cxenstored: Race in domain cleanup

ISSUE DESCRIPTION When shutting down a VM with a stubdomain, a race in cxenstored may cause a double-free. IMPACT The xenstored daemon may crash, resulting in a DoS of any parts of the system relying on it including domain creation / destruction, ballooning, device changes, etc. VULNERABLE SYSTEM...

add-to-physmap error paths fail to release lock on ARM

ISSUE DESCRIPTION When dealing with the grant map space of add-to-physmap operations, ARM specific code recognizes a number of error conditions, but fails to release a lock being held on the respective exit paths. IMPACT A malicious guest administrator can cause a denial of service. Specifically,...

grant_table: possibly premature clearing of GTF_writing / GTF_reading

ISSUE DESCRIPTION Xen maintains the GTFread,writing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, X...

grant_table: Race conditions with maptrack free list handling

ISSUE DESCRIPTION The grant table code in Xen has a bespoke semi-lockfree allocator for recording grant mappings "maptrack" entries. This allocator has a race which allows the free list to be corrupted. Specifically: the code for removing an entry from the free list, prior to use, assumes without...

x86: PV privilege escalation via map_grant_ref

ISSUE DESCRIPTION When mapping a grant reference, a guest must inform Xen of where it would like the grant mapped. For PV guests, this is done by nominating an existing linear address, or an L1 pagetable entry, to be altered. Neither of these PV paths check for alignment of the passed parameter...

linux: Fix Xen block IO merge-ability calculation

ISSUE DESCRIPTION The block layer in Linux may choose to merge adjacent block IO requests. When Linux is running as a Xen guest, the default merging algorithm is replaced with a Xen-specific one. When Linux is running as an x86 PV guest, some BIO's are erroneously merged, corrupting the data stre...

multiple problems with transitive grants

ISSUE DESCRIPTION 1 Code to handle copy operations on transitive grants has built in retry logic, involving a function reinvoking itself with unchanged parameters. Such use assumes that the compiler would also translate this to a so called "tail call" when generating machine code. Empirically, th...

NULL pointer deref in event channel poll

ISSUE DESCRIPTION When polling event channels, in general arbitrary port numbers can be specified. Specifically, there is no requirement that a polled event channel ports has ever been created. When the code was generalised from an earlier implementation, introducing some intermediate pointers, a...

page transfer may allow PV guest to elevate privilege

ISSUE DESCRIPTION Domains controlling other domains are permitted to map pages owned by the domain being controlled. If the controlling domain unmaps such a page without flushing the TLB, and if soon after the domain being controlled transfers this page to another PV domain via GNTTABOPtransfer o...

arm: vgic: Out-of-bound access when sending SGIs

ISSUE DESCRIPTION ARM guests can send SGI i.e. IPI targeting a list of vCPUs using the MMIO register GICDSGIR GICv2 or System Register ICCSGI1R GICv3. However, the emulation code does not sanitize the list and will directly access an array without checking whether the array index is within bounds...

stale P2M mappings due to insufficient error checking

ISSUE DESCRIPTION Certain actions require removing pages from a guest's P2M Physical-to-Machine mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation to replace a large mapping with individual smaller ones. If...

ARM guest disabling interrupt may crash Xen

ISSUE DESCRIPTION Virtual interrupt injection could be triggered by a guest when sending an SGI e.g IPI to any vCPU or by configuring timers. When the virtual interrupt is masked, a missing check in the injection path may result in reading invalid hardware register or crashing the host. IMPACT A...

grant table operations mishandle reference counts

ISSUE DESCRIPTION We have discovered a number of bugs in the code mapping and unmapping grant references. If a grant is mapped with both the GNTMAPdevicemap and GNTMAPhostmap flags, but unmapped only with hostmap, the devicemap portion remains but the page reference counts are lowered as though i...

x86: insufficient reference counts during shadow emulation

ISSUE DESCRIPTION When using shadow paging, writes to guest pagetables must be trapped and emulated, so the shadows can be suitably adjusted as well. When emulating the write, Xen maps the guests pagetables to make the final adjustment and leave the guest's view of its state consistent. However,...

Races in the grant table unmap code

ISSUE DESCRIPTION We have discovered two bugs in the code unmapping grant references. When a grant had been mapped twice by a backend domain, and then unmapped by two concurrent unmap calls, the frontend may be informed that the page had no further mappings when the first call completed rather th...

x86: PKRU and BND* leakage between vCPU-s

ISSUE DESCRIPTION Memory Protection Extensions MPX and Protection Key PKU are features in newer processors, whose state is intended to be per-thread and context switched along with all other XSAVE state. Xen's vCPU context switch code would save and restore the state only if the guest had set the...

blkif responses leak backend stack data

ISSUE DESCRIPTION The block interface response structure has some discontiguous fields. Certain backends populate the structure fields of an otherwise uninitialized instance of this structure on their stacks, leaking data through the internal or trailing padding field. IMPACT A malicious...

x86: 64bit PV guest breakout via pagetable use-after-mode-change

ISSUE DESCRIPTION 64-bit PV guests typically use separate root page tables for their kernel and user modes. Hypercalls are accessible to guest kernel context only, which certain hypercall handlers make assumptions on. The IRET hypercall replacing the identically name CPU instruction is used by...

possible memory corruption via failsafe callback

ISSUE DESCRIPTION Under certain special conditions Xen reports an exception resulting from returning to guest mode not via ordinary exception entry points, but via a so call failsafe callback. This callback, unlike exception handlers, takes 4 extra arguments on the stack the saved data selectors...

grant transfer allows PV guest to elevate privileges

ISSUE DESCRIPTION The GNTTABOPtransfer operation allows one guest to transfer a page to another guest. The internal processing of this, however, does not include zapping the previous type of the page being transferred. This makes it possible for a PV guest to transfer a page previously used as pa...

x86: broken check in memory_exchange() permits PV guest breakout

ISSUE DESCRIPTION The XSA-29 fix introduced an insufficient check on XENMEMexchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays. IMPACT A malicious or buggy 64-bit PV guest may be able to access all of system memory, allowing fo...

xenstore denial of service via repeated update

ISSUE DESCRIPTION xenstored supports transactions, such that if writes which would invalidate assumptions of a transaction occur, the entire transaction fails. Typical response on a failed transaction is to simply retry the transaction until it succeeds. Unprivileged domains may issue writes to...

Cirrus VGA Heap overflow via display refresh

ISSUE DESCRIPTION When a graphics update command gets passed to the VGA emulator, there are 3 possible modes that can be used to update the display: blank - Clears the display text - Treats the display as showing text graph - Treats the display as showing graphics After the display geometry gets...

arm: memory corruption when freeing p2m pages

ISSUE DESCRIPTION When freeing pages used for stage-2 page tables, the freeing routine failed to remove these pages from an internally managed list they were put on during allocation. The same list node elements are also used by the hypervisor's page allocator. Subsequent manipulation of ARM's...

cirrus_bitblt_cputovideo does not check if memory region is safe

ISSUE DESCRIPTION In CIRRUSBLTMODEMEMSYSSRC mode the bitblit copy routine cirrusbitbltcputovideo fails to check wethehr the specified memory region is safe. IMPACT A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation. VULNERABL...

memory leak when destroying guest without PT devices

ISSUE DESCRIPTION Certain internal state is set up, during domain construction, in preparation for possible pass-through device assignment. On ARM and AMD V-i hardware this setup includes memory allocation. On guest teardown, cleanup was erroneously only performed when the guest actually had a...

oob access in cirrus bitblt copy

ISSUE DESCRIPTION When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. IMPACT A malicious guest administrator can cause an out of bounds memory access, leading to information disclosure or privilege escalation. VULNERABLE...

x86: missing NULL pointer check in VMFUNC emulation

ISSUE DESCRIPTION When support for the Intel VMX VMFUNC leaf 0 was added, a new optional function pointer hvmemulvmfunc was added to the hvmemulateops table. As is intended, that new function pointer is NULL on non-VMX hardware, including AMD SVM hardware. However at a call site, the necessary NU...

x86 PV guests may be able to mask interrupts

ISSUE DESCRIPTION Certain PV guest kernel operations page table writes in particular need emulation, and use Xen's general x86 instruction emulator. This allows a malicious guest kernel which asynchronously modifies its instruction stream to effect the clearing of EFLAGS.IF from the state used to...

x86: Mishandling of SYSCALL singlestep during emulation

ISSUE DESCRIPTION The typical behaviour of singlestepping exceptions is determined at the start of the instruction, with a DB trap being raised at the end of the instruction. SYSCALL and SYSRET, although we don't implement it behave differently because the typical behaviour allows userspace to...

x86 CMPXCHG8B emulation fails to ignore operand size override

ISSUE DESCRIPTION The x86 instruction CMPXCHG8B is supposed to ignore legacy operand size overrides; it only honors the REX.W override making it CMPXCHG16B. So, the operand size is always 8 or 16. When support for CMPXCHG16B emulation was added to the instruction emulator, this restriction on the...

qemu ioport array overflow

ISSUE DESCRIPTION The code in qemu which implements ioport read/write looks up the specified ioport address in a dispatch table. The argument to the dispatch function is a uint32t, and is used without a range check, even though the table has entries for only 2^16 ioports. When qemu is used as a...

ARM guests may induce host asynchronous abort

ISSUE DESCRIPTION Depending on how the hardware and firmware have been integrated, guest-triggered asynchronous aborts SError on ARMv8 may be received by the hypervisor. The current action is to crash the host. A guest might trigger an asynchronous abort when accessing memory mapped hardware in a...

delimiter injection vulnerabilities in pygrub

ISSUE DESCRIPTION pygrub, the boot loader emulator, fails to quote or sanity check its results when reporting them to its caller. pygrub supports a number of output formats. When the S-expression output format is requested, putting string quotes and S-expressions in the bootloader configuration...

qemu incautious about shared ring processing

ISSUE DESCRIPTION The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor which the guest under control can obtain mappings of can be fetched twice during which time the guest can alter the...

x86 software interrupt injection mis-handled

ISSUE DESCRIPTION There are two closely-related bugs. When Xen emulates instructions which generate software interrupts it needs to perform a privilege check involving an IDT lookup. This check is sometimes erroneously conducted as if the IDT had the format for a 32-bit guest, when in fact it is ...

x86 null segments not always treated as unusable

ISSUE DESCRIPTION The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses. The intended behaviour is as follows: The user data segment %ds, %es, %fs and %gs selectors may be NULL in 32-bit to prevent access. In 64-bit, NULL has a special...

x86 task switch to VM86 mode mis-handled

ISSUE DESCRIPTION LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. This was violated by the code. IMPACT On SVM AMD hardware: a malicious unprivileged guest process can escalate its...

x86 64-bit bit test instruction emulation broken

ISSUE DESCRIPTION The x86 instructions BT, BTC, BTR, and BTS, when used with a destination memory operand and a source register rather than an immediate operand, access a memory location offset from that specified by the memory operand as specified by the high bits of the register source. When Xe...

guest 32-bit ELF symbol table load leaking host data

ISSUE DESCRIPTION Along with their main kernel binary, unprivileged guests may arrange to have their Xen environment load kernel symbol tables for their use. The ELF image metadata created for this purpose has a few unused bytes when the symbol table binary is in 32-bit ELF format. These unused...

x86 segment base write emulation lacking canonical address checks

ISSUE DESCRIPTION Both writes to the FS and GS register base MSRs as well as the WRFSBASE and WRGSBASE instructions require their input values to be canonical, or a GP fault will be raised. When the use of those instructions by the hypervisor was enabled, the previous guard against GP faults havi...

CR0.TS and CR0.EM not always honored for x86 HVM guests

ISSUE DESCRIPTION Instructions touching FPU, MMX, or XMM registers are required to raise a Device Not Available Exception NM when either CR0.EM or CR0.TS are set. Their AVX or AVX-512 extensions would consider only CR0.TS. While during normal operation this is ensured by the hardware, if a guest...