8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
0.009 Low
EPSS
Percentile
82.4%
An issue was discovered in Xen through 4.12.x allowing ARM guest OS users
to cause a denial of service via a XENMEM_add_to_physmap hypercall.
p2m->max_mapped_gfn is used by the functions
p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest
physical frame. The rest of the code in the two functions will assume that
there is a valid root table and check that with BUG_ON(). The function
p2m_get_root_pointer() will ignore the unused top bits of a guest physical
frame. This means that the function p2m_set_entry() will alias the frame.
However, p2m->max_mapped_gfn will be updated using the original frame. It
would be possible to set p2m->max_mapped_gfn high enough to cover a frame
that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry()
and p2m_resolve_translation_fault(). Additionally, the sanity check on
p2m->max_mapped_gfn is off-by-one allowing “highest mapped + 1” to be
considered valid. However, p2m_get_root_pointer() will return NULL. The
problem could be triggered with a specially crafted hypercall
XENMEM_add_to_physmap{, _batch} followed by an access to an address (via
hypercall or direct access) that passes the sanity check but cause
p2m_get_root_pointer() to return NULL. A malicious guest administrator may
cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen
version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86
systems are not affected.
Author | Note |
---|---|
mdeslaur | hypervisor packages are in universe. For issues in the hypervisor, add appropriate tags to each section, ex: Tags_xen: universe-binary |
www.openwall.com/lists/oss-security/2019/10/31/4
xenbits.xen.org/xsa/advisory-301.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18423
launchpad.net/bugs/cve/CVE-2019-18423
nvd.nist.gov/vuln/detail/CVE-2019-18423
security-tracker.debian.org/tracker/CVE-2019-18423
xenbits.xen.org/xsa/advisory-301.html
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
0.009 Low
EPSS
Percentile
82.4%