Information

Files

Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2025-58150 / XSA-477
                               version 2

           x86: buffer overrun with shadow paging + tracing

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Shadow mode tracing code uses a set of per-CPU variables to avoid
cumbersome parameter passing.  Some of these variables are written to
with guest controlled data, of guest controllable size.  That size can
be larger than the variable, and bounding of the writes was missing.

IMPACT
======

The exact effects depend on what's adjacent to the variables in
question.  The most likely effects are bogus trace data, but none of
privilege escalation, information leaks, or Denial of Service (DoS) can
be excluded without detailed analysis of the particular build of Xen.

VULNERABLE SYSTEMS
==================

Only x86 systems are vulnerable.  Arm systems are not vulnerable.

Only HVM guests running in shadow paging mode and with tracing enabled
can leverage the vulnerability.

MITIGATION
==========

Running HVM guests in HAP mode only will avoid the vulnerability.

Not enabling tracing will also avoid the vulnerability.  Tracing is
enabled by the "tbuf_size=" command line option, or by running tools
like xentrace or xenbaked in Dom0.  Note that on a running system
stopping xentrace / xenbaked would disable tracing.  For xentrace,
however, this additionally requires that it wasn't started with the -x
option.  Stopping previously enabled tracing can of course only prevent
future damage; prior damage may have occurred and may manifest only
later.

CREDITS
=======

This issue was discovered by Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa477.patch           xen-unstable - Xen 4.19.x
xsa477-4.18.patch      Xen 4.18.x

$ sha256sum xsa477*
025783441d7db846e717a1e48547b0db7a36fcc6af652b688524c684f0c3d2a7  xsa477.patch
194da830e15195873456b145a8df83af43aaae7a82fa6cb6852928d75c68909c  xsa477-4.18.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAml4qLYMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ+IkH/jgVtAAifglnIrxstdAUXMritwnXvcrIJaKjG7yj
8980GavdbttObFRL+d2XvPXAQLRWCbgMNgNFA9s/6EhH2cCMF9mmeYxxU9zqG9qi
MQyfp1v/UpNrvD4hdHIXhohMELF6IdXQkrRvnB0hJwSPsDEzMZyofTOKppmSqSE1
tIdFXD1R845KTl9eG1lX4uwr2KhAjAgk4DrpIvxmtkiz3yF8kznjAGDSA7luKkTU
XBSlBe9u/9Yg5cspQrh7tVQ0K+6wDR6f4bCq26P/VCDUjwRIzHDhdP+RzKaumLGn
nTU0aAuIBlXYCa+8HB5c9vf/yLldKflYZ4Qmb3jGD4GYZrQ=
=nlvD
-----END PGP SIGNATURE-----