CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46835 – x86/AMD: mismatch in IOMMU quarantine page table levels
https://notcve.org/view.php?id=CVE-2023-46835
05 Jan 2024 — The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() w... • https://xenbits.xenproject.org/xsa/advisory-445.html •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34328 – x86/AMD: Debug Mask handling
https://notcve.org/view.php?id=CVE-2023-34328
05 Jan 2024 — [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over... • https://xenbits.xenproject.org/xsa/advisory-444.html •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34327 – x86/AMD: Debug Mask handling
https://notcve.org/view.php?id=CVE-2023-34327
05 Jan 2024 — [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over... • https://xenbits.xenproject.org/xsa/advisory-444.html •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34325 – Multiple vulnerabilities in libfsimage disk handling
https://notcve.org/view.php?id=CVE-2023-34325
05 Jan 2024 — [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack (root in a priviledged domain). At least one issue has been reported to the Xen Security Team that allows an attacker to trigger a stack buffer overflow in libfsimage. After further anal... • https://xenbits.xenproject.org/xsa/advisory-443.html • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34326 – x86/AMD: missing IOMMU TLB flushing
https://notcve.org/view.php?id=CVE-2023-34326
05 Jan 2024 — The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions. Las pautas de invalidación de almacenamiento en caché de la especificación AMD-Vi (48882—Rev 3.07-PUB—octubre de 2022) son incorrectas... • https://xenbits.xenproject.org/xsa/advisory-442.html •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34323 – xenstored: A transaction conflict can crash C Xenstored
https://notcve.org/view.php?id=CVE-2023-34323
05 Jan 2024 — When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default). Cuando se confirma una transacción, C Xenstored ... • https://xenbits.xenproject.org/xsa/advisory-440.html • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34322 – top-level shadow reference dropped too early for 64-bit PV guests
https://notcve.org/view.php?id=CVE-2023-34322
05 Jan 2024 — For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this means running on the shadow of the guest root page table. In the course of dealing with shortage of memory in the shadow pool associated with a domain, shadows of page tables may be torn down. This tearing down may include the shado... • https://xenbits.xenproject.org/xsa/advisory-438.html • CWE-273: Improper Check for Dropped Privileges •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34321 – arm32: The cache may not be properly cleaned/invalidated
https://notcve.org/view.php?id=CVE-2023-34321
05 Jan 2024 — Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. Arm proporciona múltiples ayudas para limpiar e invalidar ... • https://xenbits.xenproject.org/xsa/advisory-437.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-34320 – arm: Guests can trigger a deadlock on Cortex-A77
https://notcve.org/view.php?id=CVE-2023-34320
08 Dec 2023 — Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Register (PAR_EL1) in close proximity. Los núcleos Cortex-A77 (r0p0 y r1p0) se ven afectados por la errata 1508412 donde el software, bajo ciertas circunstancias, podría bloquear un núcleo debido a la ejecución de una carga en el disposi... • https://xenbits.xenproject.org/xsa/advisory-436.html • CWE-667: Improper Locking •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-34324 – Possible deadlock in Linux kernel event handling
https://notcve.org/view.php?id=CVE-2023-34324
13 Nov 2023 — Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-gues... • https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html • CWE-400: Uncontrolled Resource Consumption •