Debian Xen vulnerabilities

CVE-2021-28700 [MEDIUM] CVE-2021-28700: xen - xen/arm: No memory limit for dom0less domUs The dom0less feature allows an admin... xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured. Scope: local bookworm: resolved (fixed in 4.14.3-1) bullseye: resolved (fixed

CVE-2021-28710 [HIGH] CVE-2021-28710: xen - certain VT-d IOMMUs may not work in shared page table mode For efficiency reason... certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3

CVE-2021-28689 [MEDIUM] CVE-2021-28689: xen - x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x8... x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed, this area of the i386 architecture was rarely used, which is why Xen was able to use it to implement paravirtualisation, Xen's novel approach to virtualization. In AMD64, Xen had to use a different implementation approac

CVE-2020-11742 [HIGH] CVE-2020-11742: xen - An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause ... An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy handling where success may be returned to the caller witho

CVE-2020-27671 [HIGH] CVE-2020-27671: xen - An issue was discovered in Xen through 4.14.x allowing x86 HVM and PVH guest OS ... An issue was discovered in Xen through 4.14.x allowing x86 HVM and PVH guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because coalescing of per-page IOMMU TLB flushes is mishandled. Scope: local bookworm: resolved (fixed in 4.14.0+80-gd101b417b7-1) bullseye: resolved (fixed in 4.14.0+80-gd101b417b7-1) forky:

CVE-2020-25603 [HIGH] CVE-2020-25603: xen - An issue was discovered in Xen through 4.14.x. There are missing memory barriers... An issue was discovered in Xen through 4.14.x. There are missing memory barriers when accessing/allocating an event channel. Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such a sequence is missing an appropriate memory barrier (e.g., smp_*mb()) to prevent both the compiler and CPU from re-ordering access. A ma

CVE-2020-25595 [HIGH] CVE-2020-25595: xen - An issue was discovered in Xen through 4.14.x. The PCI passthrough code improper... An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common f

CVE-2020-27672 [HIGH] CVE-2020-27672: xen - An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cau... An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a host OS denial of service, achieve data corruption, or possibly gain privileges by exploiting a race condition that leads to a use-after-free involving 2MiB and 1GiB superpages. Scope: local bookworm: resolved (fixed in 4.14.0+80-gd101b417b7-1) bullseye: resolved (fixed in 4.14.0+80-gd1

CVE-2020-15567 [HIGH] CVE-2020-15567: xen - An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to ... An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might ex

CVE-2020-15565 [HIGH] CVE-2020-15565: xen - An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS u... An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IO

CVE-2020-29481 [HIGH] CVE-2020-29481: xen - An issue was discovered in Xen through 4.14.x. Access rights of Xenstore nodes a... An issue was discovered in Xen through 4.14.x. Access rights of Xenstore nodes are per domid. Unfortunately, existing granted access rights are not removed when a domain is being destroyed. This means that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the previous domain(s) with the same domid. Because all Xenstore entrie

CVE-2020-11739 [HIGH] CVE-2020-11739: xen - An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause ... An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlo

CVE-2020-27670 [HIGH] CVE-2020-27670: xen - An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cau... An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because an AMD IOMMU page-table entry can be half-updated. Scope: local bookworm: resolved (fixed in 4.14.0+80-gd101b417b7-1) bullseye: resolved (fixed in 4.14.0+80-gd101b417b7-1) forky: resolved (fixed

CVE-2020-29040 [HIGH] CVE-2020-29040: xen - An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to... An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to cause a denial of service (stack corruption), cause a data leak, or possibly gain privileges because of an off-by-one error. NOTE: this issue is caused by an incorrect fix for CVE-2020-27671. Scope: local bookworm: resolved (fixed in 4.14.0+88-g1d1d1f5391-1) bullseye: resolved (fixed in 4.1

CVE-2020-29479 [HIGH] CVE-2020-29479: xen - An issue was discovered in Xen through 4.14.x. In the Ocaml xenstored implementa... An issue was discovered in Xen through 4.14.x. In the Ocaml xenstored implementation, the internal representation of the tree has special cases for the root node, because this node has no parent. Unfortunately, permissions were not checked for certain operations on the root node. Unprivileged guests can get and modify permissions, list, and delete the root node. (Deleti

CVE-2020-11741 [HIGH] CVE-2020-11741: xen - An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS use... An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this

CVE-2020-25599 [HIGH] CVE-2020-25599: xen - An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race con... An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. In particular, x86 PV guests may be

CVE-2020-29566 [MEDIUM] CVE-2020-29566: xen - An issue was discovered in Xen through 4.14.x. When they require assistance from... An issue was discovered in Xen through 4.14.x. When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled. If the device model were to signal Xen without having actually completed the operation,

CVE-2020-25602 [MEDIUM] CVE-2020-25602: xen - An issue was discovered in Xen through 4.14.x. An x86 PV guest can trigger a hos... An issue was discovered in Xen through 4.14.x. An x86 PV guest can trigger a host OS crash when handling guest access to MSR_MISC_ENABLE. When a guest accesses certain Model Specific Registers, Xen first reads the value from hardware to use as the basis for auditing the guest access. For the MISC_ENABLE MSR, which is an Intel specific MSR, this MSR read is performed w

CVE-2020-25596 [MEDIUM] CVE-2020-25596: xen - An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experien... An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. This causes the guest kernel to observe a kernel-privilege #GP fault (t