Xen Security Vulnerabilities

CVE-2023-20588

A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.

CVE-2023-20593

An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.

CVE-2023-34319

The fix for XSA-423 added logic to Linux'es netback driver to deal witha frontend splitting a packet in a way such that not all of the headerswould come in one piece. Unfortunately the logic introduced theredidn't account for the extreme case of the entire packet being splitinto as many pieces as p...

CVE-2023-34320

Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412where software, under certain circumstances, could deadlock a coredue to the execution of either a load to device or non-cacheable memory,and either a store exclusive or register read of the PhysicalAddress Register (PAR_EL1) in close ...

CVE-2023-34321

Arm provides multiple helpers to clean & invalidate the cachefor a given region. This is, for instance, used when allocatingguest memory to ensure any writes (such as the ones during scrubbing)have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers...

CVE-2023-34322

For migration as well as to work around kernels unaware of L1TF (seeXSA-273), PV guests may be run in shadow paging mode. Since Xen itselfneeds to be mapped when PV guests run, Xen and shadowed PV guests rundirectly the respective shadow page tables. For 64-bit PV guests thismeans running on the sh...

CVE-2023-34323

When a transaction is committed, C Xenstored will first checkthe quota is correct before attempting to commit any nodes. It wouldbe possible that accounting is temporarily negative if a node hasbeen removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that th...

CVE-2023-34324

Closing of an event channel in the Linux kernel can result in a deadlock.This happens when the close is being performed in parallel to an unrelatedXen console action and the handling of a Xen console interrupt in anunprivileged guest. The closing of an event channel is e.g. triggered by removal of ...

CVE-2023-34325

[This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based ongrub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the sa...

CVE-2023-34326

The caching invalidation guidelines from the AMD-Vi specification (48882—Rev3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction(see stale DMA mappings) if some fields of the DTE are updated but the IOMMUTLB is not flushed. Such stale DMA mappings can point to memory ranges...

CVE-2023-34327

[This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of ...

CVE-2023-34328

[This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality.Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of ...

CVE-2023-46835

The current setup of the quarantine page tables assumes that thequarantine domain (dom_io) has been initialized with an address widthof DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tableslevels based on the maximum (hot...

CVE-2023-46836

The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (SpeculativeReturn Stack Overflow) are not IRQ-safe. It was believed that themitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately leftinterrupts enabled on two entry p...

CVE-2023-46837

Arm provides multiple helpers to clean & invalidate the cachefor a given region. This is, for instance, used when allocatingguest memory to ensure any writes (such as the ones during scrubbing)have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers...

CVE-2023-4949

An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation.