Authors:Roger Pau Monné Risk：High CVE：CVE-2018-10982 0day:Interrupt Injection 0day -id:0DAY-176185 Date：2018-05-15
An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection.
A malicious or buggy HVM guest may cause a hypervisor crash, resulting in a Denial of Service (DoS) affecting the entire host. Privilege escalation, or information leaks, cannot be excluded.
en versions 3.4 and later are vulnerable.
Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only x86 HVM guests can exploit the vulnerability. x86 PV and PVH
guests cannot exploit the vulnerability.
Only x86 HVM guests provided with hypervisor-side HPET emulation can
exploit the vulnerability. That is the default configuration. x86
HVM guests whose configuration explicitly disables this emulation (via
“hpet=0”) cannot exploit the vulnerability.
Running only PV or PVH guests avoids the vulnerability.
Not exposing the hypervisor based HPET emulation to HVM guests, by
adding “hpet=0” to the guest configuration, also avoids the
This issue was discovered by Roger Pau Monné of Citrix.
Applying the appropriate attached patch resolves this issue.
xsa261.patch xen-unstable, Xen 4.10.x xsa261-4.9.patch Xen 4.9.x xsa261-4.8.patch Xen 4.8.x xsa261-4.7.patch Xen 4.7.x, Xen 4.6.x