Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determining validity. This may lead to bug checks triggering, crashing the host.
Acknowledgments: Name: the Xen project
Mitigation: The issue can be avoided by reducing the number of event channels available to the guest to no more than 1023. For example, setting `max_event_channels=1023` in the xl domain configuration, or deleting any existing setting (since 1023 is the default for xl/libxl). For ARM systems, any limit no more than 4095 is safe. For 64-bit x86 PV guests, any limit no more than 4095 is likewise safe if the host configuration prevents the guest administrator from substituting and running a 32-bit kernel (and thereby putting the guest into 32-bit PV mode).
Statement: All Xen versions from 4.4 onwards are vulnerable. Red Hat Enterprise Linux 5 is not affected by this flaw, as it shipped an older version of Xen.
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1881588]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25597
External References: https://xenbits.xen.org/xsa/advisory-338.html