Xen Viridian Hypercall Input Validation Vulnerability on x86 HVM Guests

A vulnerability exists in Xen hypervisors version 4.15 and newer, specifically affecting x86 HVM guests with Viridian enabled. This vulnerability arises from improper input validation in certain Viridian hypercalls that allow the specification of vCPU ID masks. All three input formats are affected, leading to out-of-bounds reads and writes. In the HV_VP_SET Sparse format, the vpmask_set() function can be tricked into writing outside of its allocated bounds. Additionally, any input format can cause the send_ipi() function to read beyond the intended memory range and operate on invalid vCPU pointers. The consequences of this vulnerability include potential information leaks, unauthorized privilege escalation, and a denial-of-service condition impacting the entire host.

Impact

Exploitation of this vulnerability can result in a denial-of-service condition affecting the entire host, information leaks, or unauthorized privilege escalation.

Remediation

To address this vulnerability, apply the patches available in the Xen Security Advisory XSA-475. For Xen versions 4.19.x to 4.17.x, use the patches labeled 'xsa475-4.19-?'. After applying the patches, downstreams are encouraged to update to the latest stable branch.