CVE-
CVE-
20:
devel@lists.
reportbug@
From: carnil@debian.org
Source: xen
Version: 4.20.0+68-g35cb38b222-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team
Hi,
The following vulnerabilities were published for xen.
CVE-2025-27465[0]:
| Certain instructions need intercepting and emulating by Xen. In
| some cases Xen emulates the instruction by replaying it, using an
| executable stub. Some instructions may raise an exception, which is
| supposed to be handled gracefully. Certain replayed instructions
| have additional logic to set up and recover the changes to the
| arithmetic flags. For replayed instructions where the flags
| recovery logic is used, the metadata for exception handling was
| incorrect, preventing Xen from handling the the exception
| gracefully, treating it as fatal instead.
CVE-2025-27466[1]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code: 1. A NULL pointer
| dereference in the updating of the reference TSC area. This is
| CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM
| page is mapped when a synthetic timer message has to be
| delivered. This is CVE-2025-58142. 3. A race in the mapping
| of the reference TSC page, where a guest can get Xen to free a
| page while still present in the guest physical to machine (p2m)
| page tables. This is CVE-2025-58143.
CVE-2025-58142[2]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code: 1. A NULL pointer
| dereference in the updating of the reference TSC area. This is
| CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM
| page is mapped when a synthetic timer message has to be
| delivered. This is CVE-2025-58142. 3. A race in the mapping
| of the reference TSC page, where a guest can get Xen to free a
| page while still present in the guest physical to machine (p2m)
| page tables. This is CVE-2025-58143.
CVE-2025-58143[3]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are multiple issues related to the handling and accessing of
| guest memory pages in the viridian code: 1. A NULL pointer
| dereference in the updating of the reference TSC area. This is
| CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM
| page is mapped when a synthetic timer message has to be
| delivered. This is CVE-2025-58142. 3. A race in the mapping
| of the reference TSC page, where a guest can get Xen to free a
| page while still present in the guest physical to machine (p2m)
| page tables. This is CVE-2025-58143.
CVE-2025-58144[4]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are two issues related to the mapping of pages belonging to
| other domains: For one, an assertion is wrong there, where the case
| actually needs handling. A NULL pointer de-reference could result
| on a release build. This is CVE-2025-58144. And then the P2M lock
| isn't held until a page reference was actually obtained (or the
| attempt to do so has failed). Otherwise the page can not only
| change type, but even ownership in between, thus allowing domain
| boundaries to be violated. This is CVE-2025-58145.
CVE-2025-58145[5]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| There are two issues related to the mapping of pages belonging to
| other domains: For one, an assertion is wrong there, where the case
| actually needs handling. A NULL pointer de-reference could result
| on a release build. This is CVE-2025-58144. And then the P2M lock
| isn't held until a page reference was actually obtained (or the
| attempt to do so has failed). Otherwise the page can not only
| change type, but even ownership in between, thus allowing domain
| boundaries to be violated. This is CVE-2025-58145.
CVE-2025-58147[6]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| Some Viridian hypercalls can specify a mask of vCPU IDs as an input,
| in one of three formats. Xen has boundary checking bugs with all
| three formats, which can cause out-of-bounds reads and writes while
| processing the inputs. * CVE-2025-58147. Hypercalls using the
| HV_VP_SET Sparse format can cause vpmask_set() to write out of
| bounds when converting the bitmap to Xen's format. *
| CVE-2025-58148. Hypercalls using any input format can cause
| send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
| vCPU pointer.
CVE-2025-58148[7]:
| [This CNA information record relates to multiple CVEs; the text
| explains which aspects/vulnerabilities correspond to which CVE.]
| Some Viridian hypercalls can specify a mask of vCPU IDs as an input,
| in one of three formats. Xen has boundary checking bugs with all
| three formats, which can cause out-of-bounds reads and writes while
| processing the inputs. * CVE-2025-58147. Hypercalls using the
| HV_VP_SET Sparse format can cause vpmask_set() to write out of
| bounds when converting the bitmap to Xen's format. *
| CVE-2025-58148. Hypercalls using any input format can cause
| send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild
| vCPU pointer.
CVE-2025-58149[8]:
| When passing through PCI devices, the detach logic in libxl won't
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
