-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xen Security Advisory CVE-2025-27466,CVE-2025-58142,CVE-2025-58143 / XSA-472
version 2
Mutiple vulnerabilities in the Viridian interface
UPDATES IN VERSION 2
====================
Public release.
ISSUE DESCRIPTION
=================
There are multiple issues related to the handling and accessing of guest
memory pages in the viridian code:
1. A NULL pointer dereference in the updating of the reference TSC area.
This is CVE-2025-27466.
2. A NULL pointer dereference by assuming the SIM page is mapped when
a synthetic timer message has to be delivered. This is
CVE-2025-58142.
3. A race in the mapping of the reference TSC page, where a guest can
get Xen to free a page while still present in the guest physical to
machine (p2m) page tables. This is CVE-2025-58143.
IMPACT
======
Denial of Service (DoS) affecting the entire host, information leaks, or
elevation of privilege.
VULNERABLE SYSTEMS
==================
Xen versions 4.13 and newer are vulnerable. Xen versions 4.12 and older
are not vulnerable.
Only x86 HVM guests which have the reference_tsc or stimer viridian
extensions enabled are vulnerable.
MITIGATION
==========
Not enabling the reference_tsc and stimer viridian extensions will avoid
the issues.
CREDITS
=======
This issue was discovered by Roger Pau Monné of XenServer.
RESOLUTION
==========
Applying the appropriate set of attached patches resolves this issue.
Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball. Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.
xsa472-?.patch xen-unstable - Xen 4.17.x
$ sha256sum xsa472*
16e14b3cc87800c08d96adc18e66aa4a20a77834af12b9cdd01d739882f07b7d xsa472-1.patch
4be6a1066fbec367e8c9883240cec2a78671d484928d51ac5fb82e2c539e38ca xsa472-2.patch
9e1972a2b5a7a817b25cad0fa80c983198bb73a2788a4d0b5cdcaca4518a57cf xsa472-3.patch
$
DEPLOYMENT DURING EMBARGO
=========================
Deployment of the patches (but not mitigations) described above (or others
which are substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.
This is because the mitigations are guest visible changes, and hence could
give hints to users about the upcoming vulnerabilities.
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmjAFT8MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZGV8H+QEb73eX4Nf/BSKpeLxzO5vpieWv9vFX83Tq9/LH
KFQKbz4Y13XjtrxEpQhnZCYBEjgByBECrCnngaqjT8P3G17fhiEp2pMgMsU783mz
TPtmdDcC63WGNyqB/7j3jxDLuCscPKKGjS+DHmcIbiV9H820EYQi83mWOGNwXRQP
pYaMz5HSO15YypxKgK4i+piVceTS/fL0dclFU/vY13bq9sCqE/E4XRsClPgk1ryS
LqUBtXbQJfxSK9asMxd0BLozVsWNVgZ6e2XTWpPf/T5EBoOo+qhQ2XaRmGCyVi98
D5t8BJ0HV83Ptik37QlosjsRbtogPXpOiaPsFmB15WFlxk8=
=/zd8
-----END PGP SIGNATURE-----
From 262114a440bf7c32fd6d215e243b3eaebdd6d7cd Mon Sep 17 00:00:00 2001
From: Roger Pau Monne <roger.pau@citrix.com>
Date: Thu, 10 Jul 2025 15:51:40 +0200
Subject: [PATCH 1/3] x86/viridian: avoid NULL pointer dereference in
update_reference_tsc()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The function is only called when the MSR has the enabled bit set, but even
then the page might not be mapped because the guest provided gfn is not
suitable.
Prevent a NULL pointer dereference in update_reference_tsc() by checking
whether the page is mapped.
This is CVE-2025-27466 / part of XSA-472.
Fixes: 386b3365221d ('viridian: use viridian_map/unmap_guest_page() for reference tsc page')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
xen/arch/x86/hvm/viridian/time.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xen/arch/x86/hvm/viridian/time.c b/xen/arch/x86/hvm/viridian/time.c
index 137577384f1e..ca6d526f46b7 100644
--- a/xen/arch/x86/hvm/viridian/time.c
+++ b/xen/arch/x86/hvm/viridian/time.c
@@ -26,6 +26,10 @@ static void update_reference_tsc(const struct domain *d, bool initialize)
HV_REFERENCE_TSC_PAGE *p = rt->ptr;
uint32_t seq;
+ /* Reference TSC page might not be mapped even if the MSR is enabled. */
+ if ( !p )
+ return;
+
if ( initialize )
clear_page(p);
--
2.49.0
From 71c9568e290b51dfd7ab091ac98b272fd0aa0b90 Mon Sep 17 00:00:00 2001
From: Roger Pau Monne <roger.pau@citrix.com>
Date: Thu, 10 Jul 2025 15:58:51 +0200
Subject: [PATCH 2/3] x86/viridian: avoid NULL pointer dereference in
viridian_synic_deliver_timer_msg()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The function is called unconditionally, regardless of whether the SIM page
is mapped. Avoid a NULL pointer dereference in
viridian_synic_deliver_timer_msg() by checking whether the SIM page is
mapped.
This is CVE-2025-58142 / part of XSA-472.
Fixes: 26fba3c85571 ('viridian: add implementation of synthetic timers')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
xen/arch/x86/hvm/viridian/synic.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xen/arch/x86/hvm/viridian/synic.c b/xen/arch/x86/hvm/viridian/synic.c
index c3dc573b003d..e6cba7548f1b 100644
--- a/xen/arch/x86/hvm/viridian/synic.c
+++ b/xen/arch/x86/hvm/viridian/synic.c
@@ -338,6 +338,10 @@ bool viridian_synic_deliver_timer_msg(struct vcpu *v, unsigned int sintx,
.DeliveryTime = delivery,
};
+ /* Don't assume SIM page to be mapped. */
+ if ( !msg )
+ return false;
+
/*
* To avoid using an atomic test-and-set, and barrier before calling
* vlapic_set_irq(), this function must be called in context of the
--
2.49.0
From aed4cfd64d178aee677a8790440addda03678cd6 Mon Sep 17 00:00:00 2001
From: Roger Pau Monne <roger.pau@citrix.com>
Date: Thu, 3 Jul 2025 13:09:03 +0200
Subject: [PATCH 3/3] x86/viridian: protect concurrent modification of the
reference TSC page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The reference TSC page is shared between all vCPUs, and the data stored in
the domain struct. However the handlers to set and clear it are not safe
against concurrent accesses. It's possible for two (or more) vCPUs to call
HV_X64_MSR_REFERENCE_TSC at the same time and cause the in-use reference
TSC page to be freed, while still being on the p2m. This creates an
information leak, where the page can end up mapped in another domain while
still being part of the original domain p2m.
It's also possible to underflow the reference counter, as multiple
concurrent writes to HV_X64_MSR_REFERENCE_TSC can create an imbalance on
the number of put_page_and_type() calls.
Introduce a lock to protect the reference TSC domain field, thus
serializing concurrent vCPU accesses.
This is CVE-2025-58143 / part of XSA-472.
Fixes: 386b3365221d ('viridian: use viridian_map/unmap_guest_page() for reference tsc page')
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
xen/arch/x86/hvm/viridian/time.c | 4 ++++
xen/arch/x86/hvm/viridian/viridian.c | 2 ++
xen/arch/x86/include/asm/hvm/viridian.h | 1 +
3 files changed, 7 insertions(+)
diff --git a/xen/arch/x86/hvm/viridian/time.c b/xen/arch/x86/hvm/viridian/time.c
index ca6d526f46b7..9311858d63c0 100644
--- a/xen/arch/x86/hvm/viridian/time.c
+++ b/xen/arch/x86/hvm/viridian/time.c
@@ -108,8 +108,10 @@ static void time_ref_count_thaw(const struct domain *d)
trc->off = (int64_t)trc->val - trc_val(d, 0);
+ spin_lock(&vd->lock);
if ( vd->reference_tsc.msr.enabled )
update_reference_tsc(d, false);
+ spin_unlock(&vd->lock);
}
static uint64_t time_ref_count(const struct domain *d)
@@ -331,6 +333,7 @@ int viridian_time_wrmsr(struct vcpu *v, uint32_t idx, uint64_t val)
if ( !(viridian_feature_mask(d) & HVMPV_reference_tsc) )
return X86EMUL_EXCEPTION;
+ spin_lock(&vd->lock);
viridian_unmap_guest_page(&vd->reference_tsc);
vd->reference_tsc.msr.raw = val;
viridian_dump_guest_page(v, "REFERENCE_TSC", &vd->reference_tsc);
@@ -339,6 +342,7 @@ int viridian_time_wrmsr(struct vcpu *v, uint32_t idx, uint64_t val)
viridian_map_guest_page(d, &vd->reference_tsc);
update_reference_tsc(d, true);
}
+ spin_unlock(&vd->lock);
break;
case HV_X64_MSR_TIME_REF_COUNT:
diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c
index 7ea6c9016894..c0be24bd2210 100644
--- a/xen/arch/x86/hvm/viridian/viridian.c
+++ b/xen/arch/x86/hvm/viridian/viridian.c
@@ -494,6 +494,8 @@ int viridian_domain_init(struct domain *d)
if ( !d->arch.hvm.viridian )
return -ENOMEM;
+ spin_lock_init(&d->arch.hvm.viridian->lock);
+
rc = viridian_synic_domain_init(d);
if ( rc )
goto fail;
diff --git a/xen/arch/x86/include/asm/hvm/viridian.h b/xen/arch/x86/include/asm/hvm/viridian.h
index 4c8ff6e80b6f..47c9d13841ac 100644
--- a/xen/arch/x86/include/asm/hvm/viridian.h
+++ b/xen/arch/x86/include/asm/hvm/viridian.h
@@ -71,6 +71,7 @@ struct viridian_domain
DECLARE_BITMAP(hypercall_flags, _HCALL_nr);
struct viridian_time_ref_count time_ref_count;
struct viridian_page reference_tsc;
+ spinlock_t lock;
};
void cpuid_viridian_leaves(const struct vcpu *v, uint32_t leaf,
--
2.49.0
© 2016 - 2025 Red Hat, Inc.