Hypervisor heap contents leaked to guests

ID XSA-100
Type xen
Reporter Xen Project
Modified 2014-06-17T11:44:00



While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would happen through memory pages freshly allocated to or by the guest. Normally the leaked data is administrative information of limited value to an attacker. However, scenarios exist where guest CPU register state and hypercall arguments might be leaked.


A malicious guest might be able to read data relating to other guests or the hypervisor itself. Data at rest in guest memory or storage (filesystems) is not affected. However, it is possible for an attacker to obtain modest amounts of in-flight and in-use data, which might contain passwords or cryptographic keys.


Xen 3.2.x and later are vulnerable. Xen 3.1.x and earlier have not been inspected.