unexpected pitfall in xenaccess API

Type xen
Reporter Xen Project
Modified 2014-06-17T11:44:00



A test/example program, for exercising the Xen memaccess API, does not take all necessary precautions against hostile guest behaviour. As a result, software developers using it as an example or template might have written and deployed vulnerable code. See the patch for technical details of the problem.


Deployments of software inspired by, or derived from, xen.git/tools/tests/xen-access/xen-access.c, may be vulnerable to privilege escalation by a malicious guest administrator. xen-access is a test/example program and is not, without modification, useful in production. It is not built or installed by default.


Unmodified Xen installations (including installations as provided by typical Free Software distributions) are not vulnerable. The following toolstacks/libraries do not use memaccess, so systems using Xen only via the following are not vulnerable: libxl; xl; xend; xm; libvirt In general, Xen installations which make no use of the Xen memory access API (xc_mem_access_..., "XENMEM_access_...", XEN_DOMCTL_MEM_EVENT_OP_ACCESS_ENABLE) are not vulnerable. Systems using the Xen hypervisor 4.1 or earlier are not vulnerable. ARM systems are not vulnerable. AMD systems are not vulnerable. Intel x86 systems without EPT are not vulnerable. Software developers who have based their efforts on xen-access.c may have constructed vulnerable systems. Such developers should examine their software, and communicate with their own downstreams, as applicable. Users of Xen-derived systems, whose vulnerability is not excluded above, should consult their vendor for information about the applicability of this vulnerability.