CVE-2019-19581
https://notcve.org/view.php?id=CVE-2019-19581
An issue was discovered in Xen through 4.12.x allowing 32-bit Arm guest OS users to cause a denial of service (out-of-bounds access) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On 32-bit Arm accesses to bitmaps with bit a count which is a multiple of 32, an out of bounds access may occur. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. 32-bit Arm systems are vulnerable. 64-bit Arm systems are not vulnerable. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/34HBFTYNMQMWIO2GGK7DB6KV4M6R5YPV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D5R73AYE53QA32KTMHUVKCX6E52CIS43 https://seclists.org/bugtraq/2020/Jan/21 https://security.gentoo.org/glsa/202003-56 https://www.debian.org/security/2020/dsa-4602 https://xenbits.xen.org/xsa/advisory-307.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2019-19582
https://notcve.org/view.php?id=CVE-2019-19582
An issue was discovered in Xen through 4.12.x allowing x86 guest OS users to cause a denial of service (infinite loop) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On x86 accesses to bitmaps with a compile time known size of 64 may incur undefined behavior, which may in particular result in infinite loops. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. x86 systems with 64 or more nodes are vulnerable (there might not be any such systems that Xen would run on). x86 systems with less than 64 nodes are not vulnerable. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/34HBFTYNMQMWIO2GGK7DB6KV4M6R5YPV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D5R73AYE53QA32KTMHUVKCX6E52CIS43 https://seclists.org/bugtraq/2020/Jan/21 https://security.gentoo.org/glsa/202003-56 https://www.debian.org/security/2020/dsa-4602 https://xenbits.xen.org/xsa/advisory-307.html • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2019-19583
https://notcve.org/view.php?id=CVE-2019-19583
An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) because VMX VMEntry checks mishandle a certain case. Please see XSA-260 for background on the MovSS shadow. Please see XSA-156 for background on the need for #DB interception. The VMX VMEntry checks do not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/34HBFTYNMQMWIO2GGK7DB6KV4M6R5YPV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D5R73AYE53QA32KTMHUVKCX6E52CIS43 https://seclists.org/bugtraq/2020/Jan/21 https://security.gentoo.org/glsa/202003-56 https://www.debian.org/security/2020/dsa-4602 https://xenbits.xen.org/xsa/advisory-308.html •
CVE-2019-19579
https://notcve.org/view.php?id=CVE-2019-19579
An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device (and assignable-add is not used), because of an incomplete fix for CVE-2019-18424. XSA-302 relies on the use of libxl's "assignable-add" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these "alternate" methods are used will still leave the system in a vulnerable state after the device comes back from a guest. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00011.html http://www.openwall.com/lists/oss-security/2019/12/05/7 http://xenbits.xen.org/xsa/advisory-306.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJYT5FNGM7JSVHHW6B22TSAATBOAPFPD https://seclists.org/bugtraq/2020/Jan/21 https://www.debian.org/security/2020/dsa-4602 https://www.openwall.com/lists/oss-security/2019/11/26/2 https://xenbits.xen.org/xsa/advisory-30 • CWE-20: Improper Input Validation •
CVE-2019-18425
https://notcve.org/view.php?id=CVE-2019-18425
An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV emulation. When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00037.html http://www.openwall.com/lists/oss-security/2019/10/31/2 http://xenbits.xen.org/xsa/advisory-298.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BQKX7M2RHCWDBKNPX4KEBI3MJIH6AYZ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5WWPW4BSZDDW7VHU427XTVXV7ROOFFW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IZYATWNUG • CWE-269: Improper Privilege Management •