use after free in FIFO event channel code

ISSUE DESCRIPTION When the EVTCHNOPinitcontrol operation is called with a bad guest frame number, it takes an error path which frees a control structure without also clearing the corresponding pointer. Certain subsequent operations EVTCHNOPexpandarray or another EVTCHNOPinitcontrol, upon finding...

x86 HVM: Overflow of sh_ctxt->seg_reg[]

ISSUE DESCRIPTION x86 HVM guests running with shadow paging use a subset of the x86 emulator to handle the guest writing to its own pagetables. There are situations a guest can provoke which result in exceeding the space allocated for internal state. IMPACT A malicious HVM guest administrator can...

x86: Mishandling of instruction pointer truncation during emulation

ISSUE DESCRIPTION When emulating HVM instructions, Xen uses a small i-cache for fetches from guest memory. The code that handles cache misses does not check if the address from which it fetched lies within the cache before blindly writing to it. As such it is possible for the guest to overwrite...

x86: Disallow L3 recursive pagetable for 32-bit PV guests

ISSUE DESCRIPTION On real hardware, a 32-bit PAE guest must leave the USER and RW bit clear in L3 pagetable entries, but the pagetable walk behaves as if they were set. The L3 entries are cached in processor registers, and don't actually form part of the pagewalk. When running a 32-bit PV guest o...

virtio: unbounded memory allocation issue

ISSUE DESCRIPTION A guest can submit virtio requests without bothering to wait for completion and is therefore not bound by virtqueue size. This requires reusing vring descriptors in more than one request, which is incorrect but possible. Processing a request allocates a VirtQueueElement and...

x86: Missing SMAP whitelisting in 32-bit exception / event delivery

ISSUE DESCRIPTION Supervisor Mode Access Prevention is a hardware feature designed to make an Operating System more robust, by raising a pagefault rather than accidentally following a pointer into userspace. However, legitimate accesses into userspace require whitelisting, and the exception...

x86: Privilege escalation in PV guests

ISSUE DESCRIPTION The PV pagetable code has fast-paths for making updates to pre-existing pagetable entries, to skip expensive re-validation in safe cases e.g. clearing only Access/Dirty bits. The bits considered safe were too broad, and not actually safe. IMPACT A malicous PV guest administrator...

arm: Host crash caused by VMID exhaustion

ISSUE DESCRIPTION VMIDs are a finite hardware resource, and allocated as part of domain creation. If no free VMIDs are available when trying to create a new domain, a bug in the error path causes a NULL pointer to be used, resulting in a Data Abort and host crash. IMPACT Attempting to create too...

Unsanitised guest input in libxl device handling code

ISSUE DESCRIPTION Various parts of libxl device-handling code inappropriately use information from partially guest controlled areas of xenstore principally the frontend directory /local/domain/GUEST/device/TYPE/DEVID, henceforth referred to as FE. The problems vary by device type: For almost all...

Unsanitised driver domain input in libxl device handling

ISSUE DESCRIPTION libxl's device-handling code freely uses and trusts information from the backend directories in xenstore. The backend domain driver domain can store bogus data in the backend, causing libxl's enquiry functions to fail, confusing management tools. A driver domain can also remove...

Unrestricted qemu logging

ISSUE DESCRIPTION When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen. This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large. IMPACT The disk...

x86 software guest page walk PS bit handling flaw

ISSUE DESCRIPTION The Page Size PS page table entry bit exists at all page table levels other than L1. Its meaning is reserved in L4, and conditionally reserved in L3 and L2 depending on hardware capabilities. The software page table walker in the hypervisor, however, so far ignored that bit in L...

QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

ISSUE DESCRIPTION Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations. But an attacker can easily change access modes after setting the bank register. This is CVE-2016-3710. Qemu VGA module...

x86 shadow pagetables: address width overflow

ISSUE DESCRIPTION In the x86 shadow pagetable code, the guest frame number of a superpage mapping is stored in a 32-bit field. If a shadowed guest can cause a superpage mapping of a guest-physical address at or above 2^44 to be shadowed, the top bits of the address will be lost, causing an...

hugetlbfs use may crash PV Linux guests

ISSUE DESCRIPTION Huge 2Mb pages are generally unavailable to PV guests. Since x86 Linux pvops-based kernels are generally multi purpose, they would normally be built with hugetlbfs support enabled. Use of that functionality by an application in a PV guest would cause an infinite page fault loop,...

broken AMD FPU FIP/FDP/FOP leak workaround

ISSUE DESCRIPTION There is a workaround in Xen to deal with the fact that AMD CPUs don't load the x86 registers FIP and possibly FCS, FDP and possibly FDS, and FOP from memory via XRSTOR or FXRSTOR when there is no pending unmasked exception. See XSA-52. However, this workaround does not cover al...

I/O port access privilege escalation in x86-64 Linux

ISSUE DESCRIPTION IRET and POPF do not modify EFLAGS.IOPL when executed by code at a privilege level other than zero. Since PV Xen guests run at privilege level 3 for 64-bit ones; 32-bit ones run at privilege level 1, to compensate for this the context switching of EFLAGS.IOPL requires the guest ...

VMX: guest user mode may crash guest with non-canonical RIP

ISSUE DESCRIPTION VMX refuses attempts to enter a guest with an instruction pointer which doesn't satisfy certain requirements. In particular, the instruction pointer needs to be canonical when entering a guest currently in 64-bit mode. This is the case even if the VM entry information specifies ...

x86: inconsistent cachability flags on guest mappings

ISSUE DESCRIPTION Multiple mappings of the same physical page with different cachability setting can cause problems. While one category risk of using stale data affects only guests themselves and hence avoiding this can be left for them to control, the other category being Machine Check exception...

PV superpage functionality missing sanity checks

ISSUE DESCRIPTION The PV superpage functionality lacks certain validity checks on data being passed to the hypervisor by guests. This is the case for the page identifier MFN passed to MMUEXTMARKSUPER and MMUEXTUNMARKSUPER sub-ops of the HYPERVISORmmuextop hypercall as well as for various forms of...

VMX: intercept issue with INVLPG on non-canonical address

ISSUE DESCRIPTION While INVLPG does not cause a General Protection Fault when used on a non-canonical address, INVVPID in its "individual address" variant, which is used to back the intercepted INVLPG in certain cases, fails in such cases. Failure of INVVPID results in a hypervisor bug check...

x86: unintentional logging upon guest changing callback method

ISSUE DESCRIPTION HYPERVISORhvmop sub-op HVMOPsetparam's HVMPARAMCALLBACKIRQ operation intends to log the new callback method in debug builds only. The full message, however, is split into two parts, the second one of which didn't get suppressed on non-debug builds as would have been intended...

ioreq handling possibly susceptible to multiple read issue

ISSUE DESCRIPTION Single memory accesses in source code can be translated to multiple ones in machine code by the compiler, requiring special caution when accessing shared memory. Such precaution was missing from the hypervisor code inspecting the state of I/O requests sent to the device model fo...

information leak in legacy x86 FPU/XMM initialization

ISSUE DESCRIPTION When XSAVE/XRSTOR are not in use by Xen to manage guest extended register state, the initial values in the FPU stack and XMM registers seen by the guest upon first use are those left there by the previous user of those registers. IMPACT A malicious domain may be able to leverage...

Linux pciback missing sanity checks leading to crash

ISSUE DESCRIPTION Xen PCI backend driver does not perform proper sanity checks on the device's state. Which in turn allows the generic MSI code called by Xen PCI backend to be called incorrectly leading to hitting BUG conditions or causing NULL pointer exceptions in the MSI code. CVE-2015-8551 To...

paravirtualized drivers incautious about shared memory contents

ISSUE DESCRIPTION The compiler can emit optimizations in the PV backend drivers which can lead to double fetch vulnerabilities. Specifically the shared memory between the frontend and backend can be fetched twice during which time the frontend can alter the contents possibly leading to arbitrary...

qemu-dm buffer overrun in MSI-X handling

ISSUE DESCRIPTION "qemu-xen-traditional" aka qemu-dm tracks state for each MSI-X table entry of a passed through device. This is used/updated on intercepted accesses to the pages containing the MSI-X table. There may be space on the final page not covered by any MSI-X table entry, but memory for...

XENMEM_exchange error handling issues

ISSUE DESCRIPTION Error handling in the operation may involve handing back pages to the domain. This operation may fail when in parallel the domain gets torn down. So far this failure unconditionally resulted in the host being brought down due to an internal error being assumed. This is...

long running memory operations on ARM

ISSUE DESCRIPTION Certain HYPERVISORmemoryop subops take page order inputs, with so far insufficient enforcement of limits thereof. In particular, for all of XENMEMincreasereservation, XENMEMpopulatephysmap, and XENMEMexchange the order was limited to 9 only for guests without physical devices...

libxl leak of pv kernel and initrd on error

ISSUE DESCRIPTION When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain e.g. pygrub libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain. However if building the domain...

heap buffer overflow vulnerability in pcnet emulator

ISSUE DESCRIPTION The QEMU security team has predisclosed the following advisory: The AMD PC-Net II emulatorhw/net/pcnet.c, while receiving packets in loopback mode, appends CRC code to the receive buffer. If the data size given is same as the buffer size4096, the appended CRC code overwrites 4...

WITHDRAWN: missing XSETBV intercept privilege check on AMD SVM

ISSUE DESCRIPTION NOTE: This advisory has been withdrawn XSETBV is a privileged instruction, i.e. should result in GP when issued by code running at other than the most privileged level CPL 0. Unlike other privileged and intercepted instructions in AMD SVM, XSETBV has the privilege level check do...

virtual PMU is unsupported

ISSUE DESCRIPTION The Virtual Performance Measurement Unit feature has been documented as unsupported, so far only on Intel CPUs. Further issues have been found or are suspected which would also or exclusively affect AMD CPUs. We believe that the functionality is mostly intended for non-productio...

x86: CPU lockup during exception delivery

ISSUE DESCRIPTION When a benign exception occurs while delivering another benign exception, it is architecturally specified that these would be delivered sequentially. There are, however, cases where this results in an infinite loop inside the CPU, which in the virtualized case can be broken only...

x86: leak of per-domain profiling-related vcpu pointer array

ISSUE DESCRIPTION A domain's xenoprofile state contains an array of per-vcpu information, which is allocated once in the lifetime of a domain in response to that domain using the XENOPROFgetbuffer hypercall on itself or by a domain with the privilege to profile a target domain using the...

arm: Host crash when preempting a multicall

ISSUE DESCRIPTION Early versions of Xen on ARM did not support "multicall" functionality the ability to perform multiple operations via a single hypercall and therefore stubbed out the functionality needed to support preemption of multicalls in a manner which crashed the host. When multicall...

x86: populate-on-demand balloon size inaccuracy can crash guests

ISSUE DESCRIPTION The design of the memory populate-on-demand PoD system requires that a guest's memory ballooning driver reach its memory reduction target. The target is not entirely well-defined in terms of the information visible to the appropriate parts of the system, so some unknown set of...

x86: some pmu and profiling hypercalls log without rate limiting

ISSUE DESCRIPTION HYPERCALLxenoprofop and HYPERVISORxenpmuop log some errors and attempts at invalid operations. These log messages are not rate-limited, even though they can be triggered by guests. IMPACT A malicious guest could cause repeated logging to the hypervisor console, leading to a Deni...

leak of main per-domain vcpu pointer array

ISSUE DESCRIPTION A domain's primary array of vcpu pointers can be allocated by a toolstack exactly once in the lifetime of a domain via the XENDOMCTLmaxvcpus hypercall. This array is leaked on domain teardown. This memory leak could -- over time -- exhaust the host's memory. IMPACT A domain give...

x86: Uncontrolled creation of large page mappings by PV guests

ISSUE DESCRIPTION The code to validate level 2 page table entries is bypassed when certain conditions are satisfied. This means that a PV guest can create writeable mappings using super page mappings. Such writeable mappings can violate Xen intended invariants for pages which Xen is supposed to...

arm: Race between domain destruction and memory allocation decrease

ISSUE DESCRIPTION While freeing the memory associated with a domain during domain destruction Xen could race with a toolstack domain reducing the amount of memory associated with that same domain via the XENMEMdecreasereservation. In the case where this race is hit the host will crash. The race i...

x86: Long latency populate-on-demand operation is not preemptible

ISSUE DESCRIPTION When running an HVM domain in Populate-on-Demand mode, Xen would sometimes search the domain for memory to reclaim, in response to demands for population of other pages in the same domain. This search runs without preemption. The guest can, by suitable arrangement of its memory...

arm: various unimplemented hypercalls log without rate limiting

ISSUE DESCRIPTION The HYPERVISORphysdevop hypercall and most suboperations of the HYPERVISORhvmop hypercall are not currently implemented by Xen on ARM and when called will log the use to the hypervisor console. However these guest accessible log messages are not rate-limited. IMPACT A malicious...

libxl fails to honour readonly flag on disks with qemu-xen

ISSUE DESCRIPTION Callers of libxl can specify that a disk should be read-only to the guest. However, there is no code in libxl to pass this information to qemu-xen the upstream-based qemu; and indeed there is no way in qemu to make a disk read-only. The vulnerability is exploitable only via...

printk is not rate-limited in xenmem_add_to_physmap_one

ISSUE DESCRIPTION XENMAPSPACEgmfnforeign dumps the p2m, on ARM, when it fails to get a reference on the foreign page. However, dumpp2mlookup does not use rate-limited printk. A malicious infrastructure domain, which is allowed to map memory of a foreign guest, would be able to flood the Xen...

QEMU leak of uninitialized heap memory in rtl8139 device model

ISSUE DESCRIPTION The QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation. This results in uninitialised memory from the QEMU process's heap being leaked to the domain as well as to the network. IMPACT A guest may be able to read sensitive...

Use after free in QEMU/Xen block unplug protocol

ISSUE DESCRIPTION When unplugging an emulated block device the device was not fully unplugged, meaning a second unplug attempt would attempt to unplug the device a second time using a previously freed pointer. IMPACT An HVM guest which has access to an emulated IDE disk device may be able to...

QEMU heap overflow flaw while processing certain ATAPI commands.

ISSUE DESCRIPTION The QEMU security team has predisclosed the following advisory: A heap overflow flaw was found in the way QEMU's IDE subsystem handled I/O buffer access while processing certain ATAPI commands. A privileged guest user in a guest with CDROM drive enabled could potentially use thi...

xl command line config handling stack overflow

ISSUE DESCRIPTION The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun. VULNERABLE SYSTEMS Systems built on top of xl which pass laundered or checked but otherwise untrusted configuration values onto xl's command line, witho...

vulnerability in the iret hypercall handler

ISSUE DESCRIPTION A buggy loop in Xen's compatiret function iterates the wrong way around a 32-bit index. Any 32-bit PV guest kernel can trigger this vulnerability by attempting a hypercalliret with EFLAGS.VM set. Given the use of get/putuser, and that the virtual addresses in question are...