Bug 1902766 (CVE-2020-29040) - CVE-2020-29040 xen: stack corruption from XSA-346 change (XSA-355)
Summary: CVE-2020-29040 xen: stack corruption from XSA-346 change (XSA-355)
Alias: CVE-2020-29040
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 1903746 (view as bug list)
Depends On: 1902769
Blocks: 1901108
TreeView+ depends on / blocked
Reported: 2020-11-30 15:38 UTC by Mauro Matteo Cascella
Modified: 2021-02-16 18:49 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An off-by-one flaw was found in one of the two patches for CVE-2020-27671 (XSA-346). This flaw allows malicious x86 HVM and PVH guests to cause host data corruption and data leaks, resulting in a denial of service or potential privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
Clone Of:
Last Closed: 2020-11-30 17:34:13 UTC

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-11-30 15:38:21 UTC
One of the two changes for XSA-346 introduced an on-stack array. The check for guarding against overrunning this array was off by one, allowing for corruption of the first stack slot immediately following this array.

Upstream fix:

Comment 1 Mauro Matteo Cascella 2020-11-30 15:38:29 UTC

Name: the Xen project

Comment 2 Mauro Matteo Cascella 2020-11-30 15:40:18 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1902769]

Comment 3 Mauro Matteo Cascella 2020-11-30 15:41:03 UTC
External References:


Comment 4 Mauro Matteo Cascella 2020-11-30 15:41:49 UTC

Avoid passing through physical devices to untrusted guests.

Comment 5 Mauro Matteo Cascella 2020-12-03 08:41:30 UTC
*** Bug 1903746 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.