Source: xen Version: 4.20.0+68-g35cb38b222-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for xen. CVE-2025-27465[0]: | Certain instructions need intercepting and emulating by Xen. In | some cases Xen emulates the instruction by replaying it, using an | executable stub. Some instructions may raise an exception, which is | supposed to be handled gracefully. Certain replayed instructions | have additional logic to set up and recover the changes to the | arithmetic flags. For replayed instructions where the flags | recovery logic is used, the metadata for exception handling was | incorrect, preventing Xen from handling the the exception | gracefully, treating it as fatal instead. CVE-2025-27466[1]: | [This CNA information record relates to multiple CVEs; the text | explains which aspects/vulnerabilities correspond to which CVE.] | There are multiple issues related to the handling and accessing of | guest memory pages in the viridian code: 1. A NULL pointer | dereference in the updating of the reference TSC area. This is | CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM | page is mapped when a synthetic timer message has to be | delivered. This is CVE-2025-58142. 3. A race in the mapping | of the reference TSC page, where a guest can get Xen to free a | page while still present in the guest physical to machine (p2m) | page tables. This is CVE-2025-58143. CVE-2025-58142[2]: | [This CNA information record relates to multiple CVEs; the text | explains which aspects/vulnerabilities correspond to which CVE.] | There are multiple issues related to the handling and accessing of | guest memory pages in the viridian code: 1. A NULL pointer | dereference in the updating of the reference TSC area. This is | CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM | page is mapped when a synthetic timer message has to be | delivered. This is CVE-2025-58142. 3. A race in the mapping | of the reference TSC page, where a guest can get Xen to free a | page while still present in the guest physical to machine (p2m) | page tables. This is CVE-2025-58143. CVE-2025-58143[3]: | [This CNA information record relates to multiple CVEs; the text | explains which aspects/vulnerabilities correspond to which CVE.] | There are multiple issues related to the handling and accessing of | guest memory pages in the viridian code: 1. A NULL pointer | dereference in the updating of the reference TSC area. This is | CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM | page is mapped when a synthetic timer message has to be | delivered. This is CVE-2025-58142. 3. A race in the mapping | of the reference TSC page, where a guest can get Xen to free a | page while still present in the guest physical to machine (p2m) | page tables. This is CVE-2025-58143. CVE-2025-58144[4]: | [This CNA information record relates to multiple CVEs; the text | explains which aspects/vulnerabilities correspond to which CVE.] | There are two issues related to the mapping of pages belonging to | other domains: For one, an assertion is wrong there, where the case | actually needs handling. A NULL pointer de-reference could result | on a release build. This is CVE-2025-58144. And then the P2M lock | isn't held until a page reference was actually obtained (or the | attempt to do so has failed). Otherwise the page can not only | change type, but even ownership in between, thus allowing domain | boundaries to be violated. This is CVE-2025-58145. CVE-2025-58145[5]: | [This CNA information record relates to multiple CVEs; the text | explains which aspects/vulnerabilities correspond to which CVE.] | There are two issues related to the mapping of pages belonging to | other domains: For one, an assertion is wrong there, where the case | actually needs handling. A NULL pointer de-reference could result | on a release build. This is CVE-2025-58144. And then the P2M lock | isn't held until a page reference was actually obtained (or the | attempt to do so has failed). Otherwise the page can not only | change type, but even ownership in between, thus allowing domain | boundaries to be violated. This is CVE-2025-58145. CVE-2025-58147[6]: | [This CNA information record relates to multiple CVEs; the text | explains which aspects/vulnerabilities correspond to which CVE.] | Some Viridian hypercalls can specify a mask of vCPU IDs as an input, | in one of three formats. Xen has boundary checking bugs with all | three formats, which can cause out-of-bounds reads and writes while | processing the inputs. * CVE-2025-58147. Hypercalls using the | HV_VP_SET Sparse format can cause vpmask_set() to write out of | bounds when converting the bitmap to Xen's format. * | CVE-2025-58148. Hypercalls using any input format can cause | send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild | vCPU pointer. CVE-2025-58148[7]: | [This CNA information record relates to multiple CVEs; the text | explains which aspects/vulnerabilities correspond to which CVE.] | Some Viridian hypercalls can specify a mask of vCPU IDs as an input, | in one of three formats. Xen has boundary checking bugs with all | three formats, which can cause out-of-bounds reads and writes while | processing the inputs. * CVE-2025-58147. Hypercalls using the | HV_VP_SET Sparse format can cause vpmask_set() to write out of | bounds when converting the bitmap to Xen's format. * | CVE-2025-58148. Hypercalls using any input format can cause | send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild | vCPU pointer. CVE-2025-58149[8]: | When passing through PCI devices, the detach logic in libxl won't | remove access permissions to any 64bit memory BARs the device might | have. As a result a domain can still have access any 64bit memory | BAR when such device is no longer assigned to the domain. For PV | domains the permission leak allows the domain itself to map the | memory in the page-tables. For HVM it would require a compromised | device model or stubdomain to map the leaked memory into the HVM | domain p2m. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-27465 https://www.cve.org/CVERecord?id=CVE-2025-27465 [1] https://security-tracker.debian.org/tracker/CVE-2025-27466 https://www.cve.org/CVERecord?id=CVE-2025-27466 [2] https://security-tracker.debian.org/tracker/CVE-2025-58142 https://www.cve.org/CVERecord?id=CVE-2025-58142 [3] https://security-tracker.debian.org/tracker/CVE-2025-58143 https://www.cve.org/CVERecord?id=CVE-2025-58143 [4] https://security-tracker.debian.org/tracker/CVE-2025-58144 https://www.cve.org/CVERecord?id=CVE-2025-58144 [5] https://security-tracker.debian.org/tracker/CVE-2025-58145 https://www.cve.org/CVERecord?id=CVE-2025-58145 [6] https://security-tracker.debian.org/tracker/CVE-2025-58147 https://www.cve.org/CVERecord?id=CVE-2025-58147 [7] https://security-tracker.debian.org/tracker/CVE-2025-58148 https://www.cve.org/CVERecord?id=CVE-2025-58148 [8] https://security-tracker.debian.org/tracker/CVE-2025-58149 https://www.cve.org/CVERecord?id=CVE-2025-58149 Regards, Salvatore
