GNTTABOP_swap_grant_ref operation misbehavior

ISSUE DESCRIPTION With the introduction of version 2 grant table operations, a version check became necessary for most grant table related hypercalls. The GNTTABOPswapgrantref call was lacking such a check. As a result, the subsequent code behaved as if version 2 was in use, when a guest issued...

Heap overflow in QEMU PCNET controller, allowing guest->host escape

ISSUE DESCRIPTION The QEMU security team has predisclosed the following advisory: pcnettransmit loads a transmit-frame descriptor from the guest into the /tmd/ local variable to recover a length field, a status field and a guest-physical location of the associated frame buffer. If the status fiel...

Guest triggerable qemu MSI-X pass-through error messages

ISSUE DESCRIPTION Device model code dealing with guest PCI MSI-X interrupt management activities logs messages on certain supposedly invalid guest operations. IMPACT A buggy or malicious guest repeatedly invoking such operations may result in the host disk to fill up, possibly leading to a Denial...

Unmediated PCI register access in qemu

ISSUE DESCRIPTION Qemu allows guests to not only read, but also write all parts of the PCI config space but not extended config space of passed through PCI devices not explicitly dealt with for partial emulation purposes. IMPACT Since the effect depends on the specific purpose of the the config...

PCI MSI mask bits inadvertently exposed to guests

ISSUE DESCRIPTION The mask bits optionally available in the PCI MSI capability structure are used by the hypervisor to occasionally suppress interrupt delivery. Unprivileged guests were, however, nevertheless allowed direct control of these bits. IMPACT Interrupts may be observed by Xen at...

Potential unintended writes to host MSI message data field via qemu

ISSUE DESCRIPTION Logic is in place to avoid writes to certain host config space fields when the guest must nevertheless be able to access their virtual counterparts. A bug in how this logic deals with accesses spanning multiple fields allows the guest to write to the host MSI message data field...

Privilege escalation via emulated floppy disk drive

ISSUE DESCRIPTION The code in qemu which emulates a floppy disk controller did not correctly bounds check accesses to an array and therefore was vulnerable to a buffer overflow attack. IMPACT A guest which has access to an emulated floppy device can exploit this vulnerability to take over the qem...

Information leak through XEN_DOMCTL_gettscinfo

ISSUE DESCRIPTION The handler for XENDOMCTLgettscinfo failed to initialize a padding field subsequently copied to guest memory. A similar bug existed in XENSYSCTLgetdomaininfolist, which is addressed by the patches provided here even though that operation was declared by XSA-77 not to provide...

Long latency MMIO mapping operations are not preemptible

ISSUE DESCRIPTION The XENDOMCTLmemorymapping hypercall allows long running operations without implementing preemption. This hypercall is used by the device model as part of the emulation associated with configuration of PCI devices passed through to HVM guests and is therefore indirectly exposed ...

Certain domctl operations may be abused to lock up the host

ISSUE DESCRIPTION XSA-77 put the majority of the domctl operations on a list excepting them from having security advisories issued for them if any effects their use might have could hamper security. Subsequently some of them got declared disaggregation safe, but for a small subset this was not...

Unmediated PCI command register access in qemu

ISSUE DESCRIPTION HVM guests are currently permitted to modify the memory and I/O decode bits in the PCI command register of devices passed through to them. Unless the device is an SR-IOV virtual function, after disabling one or both of these bits subsequent accesses to the MMIO or I/O port range...

HVM qemu unexpectedly enabling emulated VGA graphics backends

ISSUE DESCRIPTION When instantiating an emulated VGA device for an x86 HVM guest qemu will by default enable a backend to expose that device, either SDL or VNC depending on the version of qemu and the build time configuration. The libxl toolstack library does not explicitly disable these default...

Non-maskable interrupts triggerable by guests

ISSUE DESCRIPTION Guests are currently permitted to modify all of the writable bits in the PCI command register of devices passed through to them. This in particular allows them to disable memory and I/O decoding on the device unless the device is an SR-IOV virtual function, in which case...

Non-standard PCI device functionality may render pass-through insecure

ISSUE DESCRIPTION Devices with capabilities or defects that are undocumented or that virtualization software is unaware of may allow guests to control parts of the host that they shouldn't be in control of. Here are some examples of the kind of problem: While XSA-120 deals with standard PCI confi...

Hypervisor memory corruption due to x86 emulator flaw

ISSUE DESCRIPTION Instructions with register operands ignore eventual segment overrides encoded for them. Due to an insufficiently conditional assignment such a bogus segment override can, however, corrupt a pointer used subsequently to store the result of the instruction. IMPACT A malicious gues...

Information leak via internal x86 system device emulation

ISSUE DESCRIPTION Emulation routines in the hypervisor dealing with certain system devices check whether the access size by the guest is a supported one. When the access size is unsupported these routines failed to set the data to be returned to the guest for read accesses, so that hypervisor sta...

Information leak through version information hypercall

ISSUE DESCRIPTION The code handling certain sub-operations of the HYPERVISORxenversion hypercall fails to fully initialize all fields of structures subsequently copied back to guest memory. Due to this hypervisor stack contents are copied into the destination of the operation, thus becoming visib...

arm: vgic-v2: GICD_SGIR is not properly emulated

ISSUE DESCRIPTION When decoding a guest write to a specific register in the virtual interrupt controller Xen would treat an invalid value as a critical error and crash the host. IMPACT By writing an invalid value to the GICD.SGIR register a guest can crash the host, resulting in a Denial of Servi...

arm: vgic: incorrect rate limiting of guest triggered logging

ISSUE DESCRIPTION On ARM systems the code which deals with virtualising the GIC distributor would, under various circumstances, log messages on a guest accessible code path without appropriate rate limiting. IMPACT A malicious guest could cause repeated logging to the hypervisor console, leading ...

xen crash due to use after free on hvm guest teardown

ISSUE DESCRIPTION Certain data accessible via hypercalls by the domain controlling the execution of a HVM domain is being freed prematurely, leading to the respective memory regions to possibly be read from and written to in ways unexpected by their new owners. IMPACT Malicious or buggy stub doma...

p2m lock starvation

ISSUE DESCRIPTION The current read/write lock implementation is read-biased, which allows a consistent stream of readers to starve writers indefinitely. There are certain rwlocks where guests are capable of applying arbitrary read pressure. IMPACT A malicious guest administrator can deny service ...

Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor

ISSUE DESCRIPTION Acceleration support for the "REP MOVS" instruction, when the first iteration accesses memory mapped I/O emulated internally in the hypervisor, incorrectly assumes that the whole range accessed is handled by the same hypervisor sub-component. IMPACT A buggy or malicious HVM gues...

Excessive checking in compatibility mode hypercall argument translation

ISSUE DESCRIPTION The hypercall argument translation needed for 32-bit guests running on 64-bit hypervisors performs checks on the final register state. These checks cover all registers potentially holding hypercall arguments, not just the ones actually doing so for the hypercall being processed,...

Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling

ISSUE DESCRIPTION An error handling path in the processing of MMUMACHPHYSUPDATE failed to drop a page reference which was acquired in an earlier processing step. IMPACT Malicious or buggy stub domain kernels or tool stacks otherwise living outside of Domain0 can mount a denial of service attack...

Insufficient restrictions on certain MMU update hypercalls

ISSUE DESCRIPTION MMU update operations targeting page tables are intended to be used on PV guests only. The lack of a respective check made it possible for such operations to access certain function pointers which remain NULL when the target guest is using Hardware Assisted Paging HAP. IMPACT...

Missing privilege level checks in x86 emulation of far branches

ISSUE DESCRIPTION The emulation of far branch instructions CALL, JMP, and RETF in Intel assembly syntax, LCALL, LJMP, and LRET in AT&T assembly syntax incompletely performs privilege checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when a memory...

Improper MSR range used for x2APIC emulation

ISSUE DESCRIPTION The MSR range specified for APIC use in the x2APIC access model spans 256 MSRs. Hypervisor code emulating read and write accesses to these MSRs erroneously covered 1024 MSRs. While the write emulation path is written such that accesses to the extra MSRs would not have any bad...

Race condition in HVMOP_track_dirty_vram

ISSUE DESCRIPTION The routine controlling the setup of dirty video RAM tracking latches the value of a pointer before taking the respective guarding lock, thus making it possible for a stale pointer to be used by the time the lock got acquired and the pointer gets dereferenced. The hypercall...

Missing privilege level checks in x86 emulation of software interrupts

ISSUE DESCRIPTION The emulation of instructions which generate software interrupts fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when a memory operand implicit for the affected instructions lives in...

Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation

ISSUE DESCRIPTION The emulation of the instructions HLT, LGDT, LIDT, and LMSW fails to perform supervisor mode permission checks. However these instructions are not usually handled by the emulator. Exceptions to this are - when the instruction's memory operand if any lives in emulated or passed...

Mishandling of uninitialised FIFO-based event channel control blocks

ISSUE DESCRIPTION When using the FIFO-based event channels, there are no checks for the existence of a control block when binding an event or moving it to a different VCPU. This is because events may be bound when the ABI is in 2-level mode e.g., by the toolstack before the domain is started. The...

Long latency virtual-mmu operations are not preemptible

ISSUE DESCRIPTION Some MMU virtualization operations on HVM guests must process every page assigned to a guest. For larger guests, this can tie up a vcpu for a significant amount of time, as the operations are not preemptible. For guests using Hardware Assisted Paging HAP, see below this is...

Flaw in handling unknown system register access from 64-bit userspace on ARM

ISSUE DESCRIPTION When handling an unknown system register access from 64-bit userspace Xen would incorrectly return to the second instruction of the trap handler for faults in kernel space rather than the first instruction of the trap handler for faults in 64-bit userspace. Any user in a guest...

Flaws in handling traps from 32-bit userspace on 64-bit ARM

ISSUE DESCRIPTION When handling a trap from guest mode on ARM, Xen asserts that the current guest mode must match the domain address width. This assertion is false when a guest takes a trap from a 32-bit userspace running on a 64-bit kernel in a 64-bit domain. IMPACT Any user in a guest which is...

information leak via gnttab_setup_table on ARM

ISSUE DESCRIPTION When initialising an internal data structure on ARM platform Xen was not correctly initialising the memory containing the list of a domain's grant table pages. This list is returned by the GNTTABOPsetuptable subhypercall, leading to an information leak. IMPACT Malicious guest...

unexpected pitfall in xenaccess API

ISSUE DESCRIPTION A test/example program, for exercising the Xen memaccess API, does not take all necessary precautions against hostile guest behaviour. As a result, software developers using it as an example or template might have written and deployed vulnerable code. See the patch for technical...

Hypervisor heap contents leaked to guests

ISSUE DESCRIPTION While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would...

insufficient permissions checks accessing guest memory on ARM

ISSUE DESCRIPTION When accessing guest memory Xen does not correctly perform permissions checks on the possibly guest provided virtual address: it only checks that the mapping is readable by the guest, even when writing on behalf of the guest. This allows a guest to write to memory which it shoul...

Vulnerabilities in HVM MSI injection

ISSUE DESCRIPTION The implementation of the HVM control operation HVMOPinjectmsi, while checking whether a particular IRQ was already set up in the necessary way, fails to properly check all respective conditions. In particular it doesn't check the returned pointer for being non-NULL before de-...

input handling vulnerabilities loading guest kernel on ARM

ISSUE DESCRIPTION When loading a 32-bit ARM guest kernel the Xen tools did not correctly validate the length of the kernel against the actual image size. This would then lead to an overrun on the input buffer when loading the kernel into guest RAM CVE-2014-3714. Furthermore when checking a 32-bit...

Hardware timer context is not properly context switched on ARM

ISSUE DESCRIPTION When running on an ARM platform Xen was not context switching the CNTKCTLEL1 register, which is used by the guest kernel to control access by userspace processes to the hardware timers. This meant that any guest can reconfigure these settings for the entire system. IMPACT A...

HVMOP_set_mem_type allows invalid P2M entries to be created

ISSUE DESCRIPTION The implementation in Xen of the HVMOPsetmemtype HVM control operations attempts to exclude transitioning a page from an inappropriate memory type. However, only an inadequate subset of memory types is excluded. There are certain other types that don't correspond to a particular...

ARM hypervisor crash on guest interrupt controller access

ISSUE DESCRIPTION When handling a guest access to the virtual GIC distributor interrupt controller Xen could dereference a pointer before checking it for validity leading to a hypervisor crash and host Denial of Service. IMPACT A buggy or malicious guest can crash the host. VULNERABLE SYSTEMS Bot...

Hardware features unintentionally exposed to guests on ARM

ISSUE DESCRIPTION When running on an ARM platform Xen was not correctly configuring the hardware virtualisation platform and therefore did not prevent guests from accessing various hardware features including cache control, coprocessors, debug registers and various processor specific registers...

HVMOP_set_mem_access is not preemptible

ISSUE DESCRIPTION Processing of the HVMOPsetmemaccess HVM control operations does not check the size of its input and can tie up a physical CPU for extended periods of time. IMPACT In a configuration where device models run with limited privilege for example, stubdom device models, a guest attack...

Linux netback crash trying to disable due to malformed packet

ISSUE DESCRIPTION When Linux's netback sees a malformed packet, it tries to disable the interface which serves the misbehaving frontend. This involves taking a mutex, which might sleep. But in recent versions of Linux the guest transmit path is handled by NAPI in softirq context, where sleeping i...

use-after-free in xc_cpupool_getinfo() under memory pressure

ISSUE DESCRIPTION If xccpumapalloc fails then xccpupoolgetinfo will free and incorrectly return the then-free pointer to the result structure. IMPACT An attacker may be able to cause a multi-threaded toolstack using this function to race against itself leading to heap corruption and a potential...

Off-by-one error in FLASK_AVC_CACHESTAT hypercall

ISSUE DESCRIPTION The FLASKAVCCACHESTAT hypercall, which provides access to per-cpu statistics on the Flask security policy, incorrectly validates the CPU for which statistics are being requested. IMPACT An attacker can cause the hypervisor to read past the end of an array. This may result in...

libvchan failure handling malicious ring indexes

ISSUE DESCRIPTION libvchan a library for inter-domain communication does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring. IMPACT libvchan-using facilities are...

integer overflow in several XSM/Flask hypercalls

ISSUE DESCRIPTION The FLASKGET,SETBOOL, FLASKUSER and FLASKCONTEXTTOSID suboperations of the flask hypercall are vulnerable to an integer overflow on the input size. The hypercalls attempt to allocate a buffer which is 1 larger than this size and is therefore vulnerable to integer overflow and an...