The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared (between guest and Xen) information structure, whereas all other domains can use up to 4095 in this model. The recording of the respective limit during domain initialization, however, has occurred at a time where domains are still deemed to be 64-bit ones, prior to actually honoring respective domain properties. At the point domains get recognized as 32-bit ones, the limit didn't get updated accordingly. Due to this misbehavior in Xen, 32-bit domains (including Domain 0) servicing other domains may observe event channel allocations to succeed when they should really fail. Subsequent use of such event channels would then possibly lead to corruption of other parts of the shared info structure.
Acknowledgments: Name: the Xen project
Mitigation: There is no known workaround for x86 32-bit Domain 0. The issue can be avoided by reducing the number of event channels available to the guest to no more than 1023. For example, setting `max_event_channels=1023` in the xl domain configuration, or deleting any existing setting (since 1023 is the default for xl/libxl).
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1881582]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25600
External References: https://xenbits.xen.org/xsa/advisory-342.html
Statement: All Xen versions from 4.4 onwards are vulnerable. Red Hat Enterprise Linux 5 is not affected by this flaw, as it shipped with an older version of Xen.