Bug 1571880 (CVE-2018-10982, xsa261) - CVE-2018-10982 xsa261 xen: x86 vHPET interrupt injection errors (XSA-261)
Summary: CVE-2018-10982 xsa261 xen: x86 vHPET interrupt injection errors (XSA-261)
Alias: CVE-2018-10982, xsa261
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1576089
TreeView+ depends on / blocked
Reported: 2018-04-25 15:10 UTC by Adam Mariš
Modified: 2021-02-17 00:25 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-04-25 15:26:30 UTC

Attachments (Terms of Use)

Description Adam Mariš 2018-04-25 15:10:14 UTC

The High Precision Event Timer (HPET) can be configured to deliver
interrupts in one of three different modes - through legacy interrupts;
through the IO-APIC; or optionally via a method similar to PCI MSI.  The
last mode is optional and not implemented by Xen.  However, of the first
two modes, only the legacy variant was properly implemented.

If a guest set up an HPET timer in IO-APIC mode, Xen would still
handle this using the code for the legacy mode.  Unfortunately, the
available IO-APIC mode interrupt numbers are higher than legacy mode
interrupts.  The result was array overruns.


A malicious or buggy HVM guest may cause a hypervisor crash, resulting
in a Denial of Service (DoS) affecting the entire host.  Privilege
escalation, or information leaks, cannot be excluded.


Xen versions 3.1 and later are vulnerable.

Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only x86 HVM guests can exploit the vulnerability.  x86 PV and PVH
guests cannot exploit the vulnerability.

Only x86 HVM guests provided with hypervisor-side HPET emulation can
exploit the vulnerability.  That is the default configuration.  x86
HVM guests whose configuration explicitly disables this emulation (via
"hpet=0") cannot exploit the vulnerability.


Running only PV or PVH guests avoids the vulnerability.

Not exposing the hypervisor based HPET emulation to HVM guests, by
adding "hpet=0" to the guest configuration, also avoids the

External References:


Comment 3 Laura Pardo 2018-05-08 19:18:30 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1576089]

Comment 4 Adam Mariš 2018-05-11 09:22:25 UTC

Name: the Xen project
Upstream: Roger Pau Monné (Citrix)

Note You need to log in before you can comment on or make changes to this bug.