PHYSDEVOP_{prepare,release}_msix exposed to unprivileged guests

ISSUE DESCRIPTION The PHYSDEVOPprepare,releasemsix operations are supposed to be available to privileged guests domain 0 in non-disaggregated setups only, but the necessary privilege check was missing. IMPACT Malicious or misbehaving unprivileged guests can cause the host or other guests to...

Out-of-memory condition yielding memory corruption during IRQ setup

ISSUE DESCRIPTION When setting up the IRQ for a passed through physical device, a flaw in the error handling could result in a memory allocation being used after it is freed, and then freed a second time. This would typically result in memory corruption. IMPACT Malicious guest administrators can...

IOMMU TLB flushing may be inadvertently suppressed

ISSUE DESCRIPTION An internal flag is used to temporarily suppress IOMMU TLB flushes, in order to consolidate multiple single page flushes into one wider flush. This flag is not cleared again, on certain error paths. This can result in TLB flushes not happening when they are needed. Retaining sta...

Disaggregated domain management security status

ISSUE DESCRIPTION Xen supports disaggregation of various support and management functions into their own domains; this is often done for security and robustness reasons. In Xen 4.3 additional functionality was introduced to allow further disaggregation: the Xen Security Modules mechanism was...

Guest triggerable AMD CPU erratum may cause host hang

ISSUE DESCRIPTION AMD CPU erratum 793 "Specific Combination of Writes to Write Combined Memory Types and Locked Instructions May Cause Core Hang" describes a situation under which a CPU core may hang. IMPACT A malicious guest administrator can mount a denial of service attack affecting the whole...

Lock order reversal between page_alloc_lock and mm_rwlock

ISSUE DESCRIPTION The locks pagealloclock and mmrwlock are not always taken in the same order. This raises the possibility of deadlock. The incorrect order occurs only in the implementation of the deprecated domctl hypercall XENDOMCTLgetmemlist. IMPACT A malicious guest administrator may be able ...

Hypercalls exposed to privilege rings 1 and 2 of HVM guests

ISSUE DESCRIPTION The privilege check applied to hypercall attempts by a HVM guest only refused access from ring 3; rings 1 and 2 were allowed through. IMPACT Code running in the intermediate privilege rings of HVM guest OSes may be able to elevate its privileges inside the guest by careful...

Insufficient TLB flushing in VT-d (iommu) code

ISSUE DESCRIPTION An inverted boolean parameter resulted in TLB flushes not happening upon clearing of a present translation table entry. Retaining stale TLB entries could allow guests access to memory that ought to have been revoked, or grant greater access than intended. IMPACT Malicious guest...

Host crash due to guest VMX instruction execution

ISSUE DESCRIPTION Permission checks on the emulation paths intended for guests using nested virtualization for VMLAUNCH and VMRESUME were deferred too much. The hypervisor would try to use internal state which is not set up unless nested virtualization is actually enabled for a guest. IMPACT A...

Lock order reversal between page allocation and grant table locks

ISSUE DESCRIPTION The locks pagealloclock and granttable.lock are not always taken in the same order. This opens the possibility of deadlock. IMPACT A malicious guest administrator can deny service to the entire host. VULNERABLE SYSTEMS Xen versions going back to at least Xen 3.2 are vulnerable. ...

ocaml xenstored mishandles oversized message replies

ISSUE DESCRIPTION The Ocaml xenstored implementation "oxenstored" cannot correctly handle a message reply larger than XENSTOREPAYLOADSIZE when communicating with a client domain via the shared ring mechanism. When this situation occurs the connection to the client domain will be shutdown and cann...

misplaced free in ocaml xc_vcpu_getaffinity stub

ISSUE DESCRIPTION The ocaml binding for the xcvcpugetaffinity function incorrectly frees a pointer before using it and subsequently freeing it again afterwards. The code therefore contains a use-after-free and double-free flaws. IMPACT An attacker may be able to cause a multithreaded toolstack...

possible null dereference when parsing vif ratelimiting info

ISSUE DESCRIPTION The libxlu library function xluvifparserate does not properly handle inputs which consist solely of the '@' character, leading to a NULL pointer dereference. IMPACT A toolstack which allows untrusted users to specify an arbitrary configuration for the VIF rate can be subjected t...

Information leak through outs instruction emulation

ISSUE DESCRIPTION The emulation of the outs instruction for 64-bit PV guests uses an uninitialized variable as the segment base for the source data if an FS: or GS: segment override is used, and if the segment descriptor the respective non-null selector in the corresponding selector register poin...

use-after-free in libxl_list_cpupool under memory pressure

ISSUE DESCRIPTION If realloc3 fails then libxllistcpupool will incorrectly return the now-free original pointer. IMPACT An attacker may be able to cause a multithreaded toolstack using this function to race against itself leading to heap corruption and a potential DoS. Depending on the malloc...

qemu disk backend (qdisk) resource leak

ISSUE DESCRIPTION The qdisk PV disk backend in the qemu-xen flavour of qemu "upstream qemu" can be influenced by a malicious frontend to leak mapped grant references. IMPACT A malicious HVM guest can cause the backend domain to run out of grant references, leading to a DoS for any other domain...

qemu SCSI REPORT LUNS buffer overflow

ISSUE DESCRIPTION qemu contains a possible buffer overflow in the SCSI code that implements the REPORT LUNS command. The buffer can be overflowed by creating a SCSI controller with more than 256 attached devices such as disks and sending a REPORT LUNS command with a short transfer buffer less tha...

Memory accessible by 64-bit PV guests under live migration

ISSUE DESCRIPTION On some hardware, during live migration of 64-bit PV guests, some parts of the guest's shadow pagetables are mistakenly filled in with hypervisor mappings. This causes Xen to crash when those mappings are later cleared. Before the crash, a malicious guest could use hypercalls to...

Information leak through fbld instruction emulation

ISSUE DESCRIPTION The emulation of the fbld instruction which is used during I/O emulation uses the wrong variable for the source effective address. As a result, the actual address used is an uninitialised bit pattern from the stack. A malicious guest might be able to find out information about t...

Information leaks through I/O instruction emulation

ISSUE DESCRIPTION Insufficient or missing error handling in certain routines dealing with guest memory reads can lead to uninitialized data on the hypervisor stack potentially containing sensitive data from prior work the hypervisor performed being copied to guest visible storage. This allows a...

Information leak on AVX and/or LWP capable CPUs

ISSUE DESCRIPTION When a guest increases the set of extended state components for a vCPU saved/ restored via XSAVE/XRSTOR to date this can only be the upper halves of YMM registers, or AMD's LWP state after already having touched other extended registers restored via XRSTOR e.g. floating point or...

libxl partially sets up HVM passthrough even with disabled iommu

ISSUE DESCRIPTION With HVM domains, libxl's setup of PCI passthrough devices does the IOMMU setup after giving via the device model the guest access to the hardware and advertising it to the guest. If the IOMMU is disabled the overall setup fails, but after the device has been made available to t...

Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts

ISSUE DESCRIPTION Message Signaled Interrupts MSI interrupts on Intel platforms are defined as DWORD writes to a special address location 0xFEE?????. MSIs on Intel Platforms supporting VT-d have two defined formats - Remappable format interrupts, and Compatibility not remappable format interrupts...

Excessive time to disable caching with HVM guests with PCI passthrough

ISSUE DESCRIPTION HVM guests are able to manipulate their physical address space such that processing a subsequent request by that guest to disable caches takes an extended amount of time changing the cachability of the memory pages assigned to this guest. This applies only when the guest has bee...

Page reference counting error due to XSA-45/CVE-2013-1918 fixes

ISSUE DESCRIPTION The XSA-45/CVE-2013-1918 patch making error handling paths preemptible broke page reference counting by not retaining a reference on pages stored for deferred cleanup. This would lead to the hypervisor prematurely attempting to free the page, generally crashing upon finding the...

libxl allows guest write access to sensitive console related xenstore keys

ISSUE DESCRIPTION The libxenlight libxl toolstack library does not correctly set permissions on xenstore keys relating to paravirtualised and emulated serial console devices. This could allow a malicious guest administrator to change values in xenstore which the host later relies on being...

Multiple vulnerabilities in libelf PV kernel handling

ISSUE DESCRIPTION The ELF parser used by the Xen tools to read domains' kernels and construct domains has multiple integer overflows, pointer dereferences based on calculations from unchecked input values, and other problems. This corresponds to the following CVEs: CVE-2013-2194 XEN XSA-55 intege...

Hypervisor crash due to missing exception recovery on XRSTOR

ISSUE DESCRIPTION Processors do certain validity checks on the data passed to XRSTOR. While the hypervisor controls the placement of that memory block, it doesn't restrict the contents in any way. Thus the hypervisor exposes itself to a fault occurring on XRSTOR. Other than for FXRSTOR, which...

Information leak on XSAVE/XRSTOR capable AMD CPUs

ISSUE DESCRIPTION On AMD processors supporting XSAVE/XRSTOR family 15h and up, when an exception is pending, these instructions save/restore only the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR. This allows one domain to determine portions of the state of floating point instructions of othe...

Hypervisor crash due to missing exception recovery on XSETBV

ISSUE DESCRIPTION Processors do certain validity checks on the register values passed to XSETBV. For the PV emulation path for that instruction the hypervisor code didn't check for certain invalid bit combinations, thus exposing itself to a fault occurring when invoking that instruction on behalf...

PV guest host Denial of Service

ISSUE DESCRIPTION A Xen user has discovered that some older AMD CPUs can be made to lock up due to AMD processor erratum 121. This issue was discovered during testing of the fix for XSA-7 CVE-2012-0217. Although the two issues are unrelated the situations which can trigger them may overlap...

guest denial of service on syscall/sysenter exception generation

ISSUE DESCRIPTION When guest user code running inside a Xen guest operating system attempts to execute a syscall or sysenter instruction, but when the guest operating system has not registered a handler for that instruction, a General Protection Fault may need to be injected into the guest. It ha...

64-bit PV guest privilege escalation vulnerability

ISSUE DESCRIPTION Rafal Wojtczuk has discovered a vulnerability which can allow a 64-bit PV guest kernel running on a 64-bit hypervisor to escalate privileges to that of the host by arranging for a system call to return via sysret to a non-canonical RIP. Intel CPUs deliver the resulting exception...

Buffer overflow in xencontrol Python bindings affecting xend

ISSUE DESCRIPTION The Python bindings for the xcvcpusetaffinity call do not properly check their inputs. Systems which allow untrusted administrators to configure guest vcpu affinity may be exploited to trigger a buffer overrun and corrupt memory. IMPACT An attacker who is able to configure a...

qemu guest agent (qga) insecure file permissions

ISSUE DESCRIPTION The qemu guest agent creates files with insecure permissions when started in daemon mode. IMPACT The qemu guest agent is not used by default in Xen systems. If it is used in a particular guest, unprivileged guest processes might be able to escalate their privilege to that of the...

Several long latency operations are not preemptible

ISSUE DESCRIPTION Page table manipulation operations for PV guests can take significant amounts of time, as they require all present branches to have their type and thus contents verified. While the most frequently used operations had been made preemptible in the past, some code paths involving...

VT-d interrupt remapping source validation flaw for bridges

ISSUE DESCRIPTION Interrupt remapping table entries for MSI interrupts set up by bridge devices did not get any source validation set up on them, allowing misbehaving or malicious guests to inject interrupts into the domain owning the bridges. In a typical Xen system bridge devices are owned by...

grant table hypercall acquire/release imbalance

ISSUE DESCRIPTION When releasing a non-v1 non-transitive grant after doing a grant copy operation, Xen incorrectly recurses as if for a transitive grant and releases an unrelated grant reference. IMPACT A malicious guest administrator can cause undefined behaviour; depending on the dom0 kernel a...

Several access permission issues with IRQs for unprivileged guests

ISSUE DESCRIPTION Various IRQ related access control operations may not have the intended effect, thus potentially permitting a stub domain to grant its client domain access to an IRQ it doesn't have access to itself. IMPACT Malicious or buggy stub domains kernels can mount a denial of service...

Xen PV DoS vulnerability with SYSENTER

ISSUE DESCRIPTION The SYSENTER instruction can be used by PV guests to accelerate system call processing. This instruction, however, leaves the EFLAGS register mostly unmodified - in particular, the NT flag doesn't get cleared. If the hypervisor subsequently uses IRET to return to the guest which...

qemu-nbd format-guessing due to missing format specification

ISSUE DESCRIPTION The qemu-nbd tool shipped in the Xen hypervisor tools distribution as qemu-nbd-xen autodetects the image format. If a particular disk image is intended to be raw, a guest operating system administrator could write a header to the image, describing another format than original on...

Potential use of freed memory in event channel operations

ISSUE DESCRIPTION Wrong ordering of operations upon extending the per-domain event channel tracking table can cause a pointer to freed memory to be left in place, when the hypervisor is under memory pressure and XSM Xen Security Module is enabled. IMPACT Malicious guest kernels could inject...

Linux kernel hits general protection if %ds is corrupt for 32-bit PVOPS.

ISSUE DESCRIPTION Linux kernel when returning from an iret assumes that %ds segment is safe and uses it to reference various per-cpu related fields. Unfortunately the user can modify the LDT and provide a NULL one. Whenever an iret is called we end up in xeniret and try to use the %ds segment and...

Linux netback DoS via malicious guest ring.

ISSUE DESCRIPTION The Xen netback implementation contains a couple of flaws which can allow a guest to cause a DoS in the backend domain, potentially affecting other domains in the system. CVE-2013-0216 is a failure to sanity check the ring producer/consumer pointers which can allow a guest to...

oxenstored incorrect handling of certain Xenbus ring states

ISSUE DESCRIPTION The oxenstored daemon the ocaml version of the xenstore daemon does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause oxenstored to read past the end of the ring and very likely crash or to allocate large amounts...

Linux pciback DoS via not rate limited log messages.

ISSUE DESCRIPTION Xen's PCI backend drivers in Linux allow a guest with assigned PCI devices to cause a DoS through a flood of kernel messages, potentially affecting other domains in the system. IMPACT A malicious guest can mount a DoS affecting the entire system. VULNERABLE SYSTEMS All systems...

interrupt remap entries shared and old ones not cleared on AMD IOMMUs

ISSUE DESCRIPTION To avoid an erratum in early hardware, the Xen AMD IOMMU code by default chooses to use a single interrupt remapping table for the whole system. This sharing implies that any guest with a passed through PCI device that is bus mastering capable can inject interrupts into other...

Nested HVM exposes host to being driven out of memory by guest

ISSUE DESCRIPTION Guests are currently permitted to enable nested virtualization on themselves. Missing error handling cleanup in the handling code makes it possible for a guest, particularly a multi-vCPU one, to repeatedly invoke this operation, thus causing a leak of - over time - unbounded...

nested virtualization on 32-bit exposes host crash

ISSUE DESCRIPTION When performing nested virtualisation Xen would incorrectly map guest pages for extended periods using an interface which is only intended for transient mappings. In some configurations there are a limited number of slots available for these transient mappings and exhausting the...

Linux stack corruption in xen_failsafe_callback for 32bit PVOPS guests.

ISSUE DESCRIPTION xenfailsafecallback incorrectly sets up its stack if an iret fault is injected by the hypervisor. IMPACT Malicious or buggy unprivileged userspace can cause the guest kernel to crash, or operate erroneously. VULNERABLE SYSTEMS All 32bit PVOPS versions of Linux are affected, sinc...