CVE-2020-29484

An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires,
the xenstore client that registered the watch will receive a Xenstore
message containing the path of the modified Xenstore entry that triggered
the watch, and the tag that was specified when registering the watch. Any
communication with xenstored is done via Xenstore messages, consisting of a
message header and the payload. The payload length is limited to 4096
bytes. Any request to xenstored resulting in a response with a payload
longer than 4096 bytes will result in an error. When registering a watch,
the payload length limit applies to the combined length of the watched path
and the specified tag. Because watches for a specific path are also
triggered for all nodes below that path, the payload of a watch event
message can be longer than the payload needed to register the watch. A
malicious guest that registers a watch using a very large tag (i.e., with a
registration operation payload length close to the 4096 byte limit) can
cause the generation of watch events with a payload length larger than 4096
bytes, by writing to Xenstore entries below the watched path. This will
result in an error condition in xenstored. This error can result in a NULL
pointer dereference, leading to a crash of xenstored. A malicious guest
administrator can cause xenstored to crash, leading to a denial of service.
Following a xenstored crash, domains may continue to run, but management
operations will be impossible. Only C xenstored is affected, oxenstored is
not affected.

Notes