Debian Xen vulnerabilities

CVE-2020-29571 [MEDIUM] CVE-2020-29571: xen - An issue was discovered in Xen through 4.14.x. A bounds check common to most ope... An issue was discovered in Xen through 4.14.x. A bounds check common to most operation time functions specific to FIFO event channels depends on the CPU observing consistent state. While the producer side uses appropriately ordered writes, the consumer side isn't protected against re-ordered reads, and may hence end up de-referencing a NULL pointer. Malicious or buggy

CVE-2020-25604 [MEDIUM] CVE-2020-25604: xen - An issue was discovered in Xen through 4.14.x. There is a race condition when mi... An issue was discovered in Xen through 4.14.x. There is a race condition when migrating timers between x86 HVM vCPUs. When migrating timers of x86 HVM guests between its vCPUs, the locking model used allows for a second vCPU of the same guest (also operating on the timers) to release a lock that it didn't acquire. The most likely effect of the issue is a hang or crash

CVE-2020-25597 [MEDIUM] CVE-2020-25597: xen - An issue was discovered in Xen through 4.14.x. There is mishandling of the const... An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve dec

CVE-2020-15566 [MEDIUM] CVE-2020-15566: xen - An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause ... An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, or (3) the port we try to allocate is higher than what is supported by

CVE-2020-29486 [MEDIUM] CVE-2020-29486: xen - An issue was discovered in Xen through 4.14.x. Nodes in xenstore have an ownersh... An issue was discovered in Xen through 4.14.x. Nodes in xenstore have an ownership. In oxenstored, a owner could give a node away. However, node ownership has quota implications. Any guest can run another guest out of quota, or create an unbounded number of nodes owned by dom0, thus running xenstored out of memory A malicious guest administrator can cause a denial of

CVE-2020-29482 [MEDIUM] CVE-2020-29482: xen - An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths... An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths via absolute paths containing a full pathname, or via a relative path, which implicitly includes /local/domain/$DOMID for their own domain id. Management tools must access paths in guests' namespaces, necessarily using absolute paths. oxenstored imposes a pathname limit that is applied so

CVE-2020-25601 [MEDIUM] CVE-2020-25601: xen - An issue was discovered in Xen through 4.14.x. There is a lack of preemption in ... An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event channels or when cleaning up after the guest) may take extended periods of time. So far, th

CVE-2020-29567 [MEDIUM] CVE-2020-29567: xen - An issue was discovered in Xen 4.14.x. When moving IRQs between CPUs to distribu... An issue was discovered in Xen 4.14.x. When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met when first checked, the checking CPU may send an interrupt to itself, in the expectation t

CVE-2020-29484 [MEDIUM] CVE-2020-29484: xen - An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the ... An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry that triggered the watch, and the tag that was specified when registering the watch. Any communication with xenstored is done via Xenstore messages, consisting of a

CVE-2020-29570 [MEDIUM] CVE-2020-29570: xen - An issue was discovered in Xen through 4.14.x. Recording of the per-vCPU control... An issue was discovered in Xen through 4.14.x. Recording of the per-vCPU control block mapping maintained by Xen and that of pointers into the control block is reversed. The consumer assumes, seeing the former initialized, that the latter are also ready for use. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. Sc

CVE-2020-15564 [MEDIUM] CVE-2020-15564: xen - An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to ca... An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen address space so it can be directly accessed. On Arm, the

CVE-2020-15563 [MEDIUM] CVE-2020-15563: xen - An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users t... An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM guest may cause the hypervisor to crash, resulting in Denial of Service

CVE-2020-29485 [MEDIUM] CVE-2020-29485: xen - An issue was discovered in Xen 4.6 through 4.14.x. When acting upon a guest XS_R... An issue was discovered in Xen 4.6 through 4.14.x. When acting upon a guest XS_RESET_WATCHES request, not all tracking information is freed. A guest can cause unbounded memory usage in oxenstored. This can lead to a system-wide DoS. Only systems using the Ocaml Xenstored implementation are vulnerable. Systems using the C Xenstored implementation are not vulnerable. Sc

CVE-2020-11740 [MEDIUM] CVE-2020-11740: xen - An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS use... An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed. Scope: local bookworm: resolved (fixed in 4.11.4-1) bullseye:

CVE-2020-11743 [MEDIUM] CVE-2020-11743: xen - An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause ... An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of a bad error path in GNTTABOP_map_grant. Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats t

CVE-2020-29483 [MEDIUM] CVE-2020-29483: xen - An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate ... An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately, this is done by just removing the guest from xenstored's internal management, resulting in the same actions as if the guest had been des

CVE-2020-28368 [MEDIUM] CVE-2020-28368: xen - Xen through 4.14.x allows guest OS administrators to obtain sensitive informatio... Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen. Scope: local bookworm: resolved (fixed in 4

CVE-2020-27674 [MEDIUM] CVE-2020-27674: xen - An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to ... An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique. Scope: local bookworm: resolved (fixed in 4.14.0+80-gd101b417b7-1) bullseye: resolved (fixed in 4.14.0+80-gd101b417b7-1) forky: res

CVE-2020-25600 [MEDIUM] CVE-2020-25600: xen - An issue was discovered in Xen through 4.14.x. Out of bounds event channels are ... An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared (bet

CVE-2020-25598 [MEDIUM] CVE-2020-25598: xen - An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_a... An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar to forgetting to unlock a spinlock. A buggy or malicious HVM stubdoma