Xen Shadow Paging Buffer Overrun Vulnerability in Tracing Code

A buffer overrun vulnerability has been identified in Xen's shadow mode tracing code on x86 systems. This issue arises because the tracing code uses per-CPU variables that can be overwritten with guest-controlled data of variable size. The lack of proper bounds checking allows for the possibility of writing data larger than the variable can accommodate, leading to potential memory corruption.

Impact

Exploitation of this vulnerability could result in a buffer overrun, with the most likely consequence being the introduction of incorrect trace data. However, depending on the specific build of Xen, this vulnerability could also lead to privilege escalation, information leaks, or a denial-of-service condition.

Remediation

To address this vulnerability, HVM guests should be run in HAP mode only, and tracing should be disabled. Tracing can be turned off by stopping tools like xentrace or xenbaked in Dom0, provided they weren't started with the -x option. For systems running Xen 4.19.x, the patch 'xsa477.patch' should be applied. For Xen 4.18.x, the 'xsa477-4.18.patch' is available.