Julien Grall

**Name of the Vulnerable Software and Affected Versions** C Xenstored (affected versions not specified) **Description** When a transaction is committed, C Xenstored checks the quota is correct before attempting to commit any nodes. It is possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored assume that the quota cannot be negative and use assert() to confirm it, leading to a crash when tools are built without -DNDEBUG (this is the default). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arm (affected versions not specified) **Description** The issue arises from the arithmetics in the cache cleaning and invalidation helpers provided by Arm, which can overflow and result in skipping the cache cleaning/invalidation. This means there is no guarantee when all writes will reach the memory, particularly when allocating guest memory and ensuring writes have reached memory before handing over the page to a guest. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to memory allocation and deallocation in Xenstore. When working on a request from a guest, Xenstore may allocate large amounts of memory temporarily. This memory is only freed after the request has been completed, which is considered finished only after the guest has read the response message from the ring page. If a guest does not read the response, Xenstore may not free the temporary memory, leading to memory shortages and potentially causing a Denial of Service (DoS) of Xenstore. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to the uncontrolled allocation of resources in Xenstore, which can lead to a Denial of Service (DoS) of xenstored. Malicious guests can cause xenstored to allocate large amounts of memory through various methods, including: - issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - causing a large number of watch events to be generated via setting up multiple xenstore watches and then deleting many xenstore nodes below the watched path - creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - accessing many nodes inside a transaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to the creation of orphaned Xenstore nodes by guests. This occurs when a malicious guest creates multiple nodes inside a transaction, resulting in an error. The cleanup after the error does not remove all nodes already created, allowing nodes without a valid parent to be made permanent in the database when the transaction is committed. This can lead to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to a bug in the fix of XSA-115, where a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path. This can result in a crash of xenstored or a memory corruption in xenstored, causing further damage. The error path can be controlled by the guest, for example, by exceeding the quota value of maximum nodes per domain. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to errors in memory release due to the creation of an arbitrary number of nodes via transactions. This can enable a malicious guest to create an arbitrary number of nodes, potentially leading to a denial of service. When a node is created in a transaction and later deleted in the same transaction, the transaction will be terminated with an error. This error occurs only when handling the deleted node at transaction finalization, resulting in the transaction being performed partially without updating the accounting information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to the Xenstore component of the Xen hypervisor, where malicious guests can cause xenstored to allocate large amounts of memory. This can result in a Denial of Service (DoS) of xenstored. There are multiple ways guests can cause large memory allocations, including issuing new requests without reading responses, causing a large number of watch events, creating many nodes with maximum size and path length, and accessing many nodes inside a transaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to the uncontrolled allocation of resources in Xenstore, which can lead to a Denial of Service (DoS) of xenstored. Malicious guests can cause xenstored to allocate large amounts of memory through various methods, including issuing new requests without reading responses, generating a large number of watch events, creating multiple nodes with maximum size and path length, and accessing many nodes inside a transaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to the uncontrolled allocation of resources in Xenstore, which can lead to a Denial of Service (DoS) of xenstored. Malicious guests can cause xenstored to allocate large amounts of memory by various means, including issuing new requests without reading responses, generating a large number of watch events, creating multiple nodes with maximum size and path length, and accessing many nodes inside a transaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to the uncontrolled allocation of resources in Xenstore, which can lead to a Denial of Service (DoS) of xenstored. Malicious guests can cause xenstored to allocate large amounts of memory by issuing new requests without reading responses, causing responses to be buffered in memory, generating a large number of watch events, creating many nodes with maximum size and path length, or accessing many nodes inside a transaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to the uncontrolled allocation of resources in Xenstore, which can lead to a Denial of Service (DoS) of xenstored. Malicious guests can cause xenstored to allocate large amounts of memory through various methods, including issuing new requests without reading responses, generating a large number of watch events, creating multiple nodes with maximum size and path length, and accessing many nodes inside a transaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue allows guests to create an arbitrary number of nodes via transactions. If a node is created in a transaction and later deleted in the same transaction, the transaction will be terminated with an error. This error occurs when handling the deleted node at transaction finalization, resulting in the transaction being performed partially without updating the accounting information. A malicious guest can exploit this to create an arbitrary number of nodes. The vulnerability is related to errors in memory release due to the creation of an arbitrary number of nodes through transactions, which can lead to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to uncontrolled resource allocation in the Xenstore storage of the Xen hypervisor. Exploitation can lead to a denial of service (DoS) of xenstored. Malicious guests can cause xenstored to allocate large amounts of memory by various means, including issuing new requests without reading responses, generating a large number of watch events, creating many nodes with maximum size and path length, or accessing many nodes inside a transaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenstore (affected versions not specified) **Description** The issue is related to the uncontrolled allocation of resources in Xenstore, which can lead to a Denial of Service (DoS) of xenstored. Malicious guests can cause xenstored to allocate large amounts of memory through various methods, including issuing new requests without reading responses, generating a large number of watch events, creating multiple nodes with maximum size and path length, and accessing many nodes inside a transaction. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The P2M pool, which backs second level address translation for guests, may be of significant size, causing its freeing to take excessively long without intermediate preemption checks. Such checks for the need to preempt were missing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xen (affected versions not specified) **Description** The issue arises from insufficient cleanup of passed-through device IRQs associated with physical devices exposed to x86 HVM guests. This involves an iterative operation, particularly when cleaning up after the guest's use of the device. If an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. However, when multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time, pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xen (affected versions not specified) **Description** A PV guest could cause a denial of service (DoS) in Xen while unmapping a grant. This issue arises from the introduction of reference counting for grant mappings when a PV guest has the IOMMU enabled. PV guests can request two forms of mappings, and when both are in use for an individual mapping, unmapping can be requested in two steps. The reference count for such a mapping would then be mistakenly decremented twice, leading to an underflow of the counters. This underflow triggers a hypervisor bug check. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Xen versions prior to 4.14 Description: The issue arises when grant table v2 status pages are de-allocated as a guest switches back from v2 to v1, potentially allowing a guest to retain access to a page that was freed and perhaps re-used for other purposes. This occurs because the hypervisor tracks only one use within guest space, but racing requests from the guest can result in these pages becoming mapped in multiple locations. The majority of such pages remain allocated or associated with a guest for its entire lifetime, but grant table v2 status pages are an exception, getting de-allocated when a guest switches back from v2 to v1. Recommendations: For versions prior to 4.14, update to Xen 4.14 or a security-supported Xen branch that includes the backported fix. As a temporary workaround, consider restricting access to grant table v2 status pages to minimize the risk of exploitation. Avoid using grant table v2 status pages in multiple locations within guest space until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue arises when a guest is allowed to have close to 16TiB of memory. It may then issue hypercalls to increase its memory allocation beyond the administrator-established limit due to a calculation done with 32-bit precision, which can overflow. As a result, only the overflowed (and hence small) number gets compared against the established upper bound. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.