Xen Project 4.4 series


Xen Project 4.4.0

Release Information

The Xen Project 4.4 release incorporates many new features and improvements to existing features.


For Xen Project 4.4 documentation see

Contribution Acknowledgements

For a breakdown of contributions to Xen 4.4 check out the Xen Project 4.4 Acknowledgements.

Xen Project 4.4.1

We are pleased to announce the release of Xen 4.4.1. This is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4 (tag RELEASE-4.4.1)

This release fixes the following critical vulnerabilities:

  • CVE-2014-2599 / XSA-89 HVMOP_set_mem_access is not preemptible
  • CVE-2014-3125 / XSA-91 Hardware timer context is not properly context switched on ARM
  • CVE-2014-3124 / XSA-92 HVMOP_set_mem_type allows invalid P2M entries to be created
  • CVE-2014-2915 / XSA-93 Hardware features unintentionally exposed to guests on ARM
  • CVE-2014-2986 / XSA-94 ARM hypervisor crash on guest interrupt controller access
  • CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95 input handling vulnerabilities loading guest kernel on ARM
  • CVE-2014-3967,CVE-2014-3968 / XSA-96 Vulnerabilities in HVM MSI injection
  • CVE-2014-3969 / XSA-98 insufficient permissions checks accessing guest memory on ARM
  • CVE-2014-4021 / XSA-100 Hypervisor heap contents leaked to guests
  • CVE-2014-4022 / XSA-101 information leak via gnttab_setup_table on ARM
  • CVE-2014-5147 / XSA-102 Flaws in handling traps from 32-bit userspace on 64-bit ARM
  • CVE-2014-5148 / XSA-103 Flaw in handling unknown system register access from 64-bit userspace on ARM Additionally a workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) has been put in place. However, at this point we can't guarantee that all affected chipsets are being covered; Intel is working diligently on providing us with a complete list. Apart from those there are many further bug fixes and improvements.

We recommend all users of the 4.4 stable series to update to this first point release.

Xen Project 4.4.2

We are pleased to announce the release of Xen 4.4.2. This is available immediately from its git repository

http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4 (tag RELEASE-4.4.2) or from this download page

This fixes the following critical vulnerabilities:

  • CVE-2014-5146, CVE-2014-5149 / XSA-97: Long latency virtual-mmu operations are not preemptible
  • CVE-2014-7154 / XSA-104: Race condition in HVMOP_track_dirty_vram
  • CVE-2014-7155 / XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
  • CVE-2014-7156 / XSA-106: Missing privilege level checks in x86 emulation of software interrupts
  • CVE-2014-6268 / XSA-107: Mishandling of uninitialised FIFO-based event channel control blocks
  • CVE-2014-7188 / XSA-108: Improper MSR range used for x2APIC emulation
  • CVE-2014-8594 / XSA-109: Insufficient restrictions on certain MMU update hypercalls
  • CVE-2014-8595 / XSA-110: Missing privilege level checks in x86 emulation of far branches
  • CVE-2014-8866 / XSA-111: Excessive checking in compatibility mode hypercall argument translation
  • CVE-2014-8867 / XSA-112: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
  • CVE-2014-9030 / XSA-113: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
  • CVE-2014-9065, CVE-2014-9066 / XSA-114: p2m lock starvation
  • CVE-2015-0361 / XSA-116: xen crash due to use after free on hvm guest teardown
  • CVE-2015-1563 / XSA-118: arm: vgic: incorrect rate limiting of guest triggered logging
  • CVE-2015-2152 / XSA-119: HVM qemu unexpectedly enabling emulated VGA graphics backends
  • CVE-2015-2044 / XSA-121: Information leak via internal x86 system device emulation
  • CVE-2015-2045 / XSA-122: Information leak through version information hypercall
  • CVE-2015-2151 / XSA-123: Hypervisor memory corruption due to x86 emulator flaw

Additionally a bug in the fix for CVE-2014-3969 / CVE-2015-2290 / XSA-98 (which got assigned CVE-2015-2290) got addressed.

Sadly the workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) still can't be guaranteed to cover all affected chipsets; Intel continues to be working on providing us with a complete list.

Apart from those there are many further bug fixes and improvements.

We recommend all users of the 4.4 stable series to update to this first point release.

Xen Project 4.4.3

We are pleased to announce the release of Xen 4.4.3. This is available immediately from its git repository 

http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4 (tag RELEASE-4.4.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 27b82b0: update Xen version to 4.4.3 [Jan Beulich]
  • 3646b13: libxl: poll: Avoid fd deregistration race POLLNVAL crash [Ian Jackson]
  • 0348c45: libxl: poll: Use poller_get and poller_put for poller_app [Ian Jackson]
  • 900c797: libxl: poll: Make libxl__poller_get have only one success return path [Ian Jackson]
  • 1749add: tools: libxl: Handle failure to create qemu dm logfile [Ian Campbell]
  • ca0f468: libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap. [Konrad Rzeszutek Wilk]
  • 3e9054c: docs: workaround markdown parser error in xen-command-line.markdown [Ian Campbell]
  • 214fd40: xl: Sane handling of extra config file arguments [Ian Jackson]
  • 2b08c5c: QEMU_TAG update [Ian Jackson]
  • d273ce7: dmar: device scope mem leak fix [Elena Ufimtseva]
  • 1eda7e5: make rangeset_report_ranges() report all ranges [Jan Beulich]
  • d55922f: xen: earlycpio: Pull in latest linux earlycpio.[ch] [Ian Campbell]
  • d4ee871: x86/hvmloader: avoid data corruption with xenstore reads/writes [Andrew Cooper]
  • 4ee998c: credit1: properly deal with pCPUs not in any cpupool [Dario Faggioli]
  • 7ee0f1a: x86 / cpupool: clear the proper cpu_valid bit on pCPU teardown [Dario Faggioli]
  • cc87ed9: x86/p2m-ept: don't unmap the EPT pagetable while it is still in use [Andrew Cooper]
  • f51089d: nested EPT: fix the handling of nested EPT [Liang Li]
  • 33eba76: x86/traps: avoid using current too early on boot [Andrew Cooper]
  • 04667d6: x86: avoid tripping watchdog when constructing dom0 [Ross Lagerwall]
  • ea019a8: x86/EFI: adjust EFI_MEMORY_WP handling for spec version 2.5 [Jan Beulich]
  • b51d47e: kexec: add more pages to v1 environment [Jan Beulich]
  • f38be14: passthrough/amd: avoid reading an uninitialized variable [Tim Deegan]
  • fb9fdb0: x86/traps: identify the vcpu in context when dumping registers [Andrew Cooper]
  • 36c53c2: update Xen version to 4.4.3-rc1 [Jan Beulich]
  • 6c1cb3d: tools/libxc: Fix build of 32bit toolstacks on CentOS 5.x following XSA-125 [Andrew Cooper]
  • 7062ac6: Revert "tools/libxc: Fix build of 32bit toolstacks on CentOS 5.x following XSA-125" [Ian Jackson]
  • dfed6d9: libxl: event handling: ao_inprogress does waits while reports outstanding [Ian Jackson]
  • ba68310: libxl: event handling: Break out ao_work_outstanding [Ian Jackson]
  • a2895ef: tools/libxc: Fix build of 32bit toolstacks on CentOS 5.x following XSA-125 [Andrew Cooper]
  • a490f8d: tools/xenconsoled: Increase file descriptor limit [Andrew Cooper]
  • c669c24: ocaml/xenctrl: Fix stub_xc_readconsolering() [Andrew Cooper]
  • 9702e08: ocaml/xenctrl: Make failwith_xc() thread safe [Andrew Cooper]
  • 10a9553: ocaml/xenctrl: Check return values from hypercalls [Andrew Cooper]
  • 13623d5: libxl: In domain death search, start search at first domid we want [Ian Jackson]
  • 4b63c53: QEMU_TAG update [Ian Jackson]
  • c756224: xen/arm: Call context_saved() with interrupts enabled during context switch [denys drozdov]
  • de53397: cpupool: fix shutdown with cpupools with different schedulers [Dario Faggioli]
  • 472bdfe: libelf: fix elf_parse_bsdsyms call [Roger Pau Monné]
  • 726dd5a: VT-d: extend quirks to newer desktop chipsets [Jan Beulich]
  • d108622: EFI: support default attributes to map Runtime service areas with none given [Konrad Rzeszutek Wilk]
  • 1f29e20: EFI/early: add /mapbs to map EfiBootServices{Code,Data} [Konrad Rzeszutek Wilk]
  • a7c37b2: x86/EFI: fix EFI_MEMORY_WP handling [Jan Beulich]
  • e50f047: efi: avoid calling boot services after ExitBootServices() [Ross Lagerwall]
  • cd98a75: x86/VPMU: add lost Intel processor [Alan Robinson]
  • d568854: x86/crash: don't use set_fixmap() in the crash path [Andrew Cooper]
  • ab1cc71: x86/apic: Disable the LAPIC later in smp_send_stop() [Andrew Cooper]
  • 6ed66bf: efi: fix allocation problems if ExitBootServices() fails [Ross Lagerwall]
  • c76aeb5: x86: don't crash when mapping a page using EFI runtime page tables [Ross Lagerwall]
  • 7140a69: x86/pvh: disable posted interrupts [Roger Pau Monné]
  • 2691b20: x86: don't unconditionally touch the hvm_domain union during domain construction [Andrew Cooper]
  • 34b61e9: x86/EFI: keep EFI runtime services top level page tables up-to-date [Jan Beulich]
  • adee062: cpupools: avoid crashing if shutting down with free CPUs [Dario Faggioli]
  • 5d660a9: cpupool: assigning a CPU to a pool can fail [Dario Faggioli]
  • 05ab771: x86/traps: loop in the correct direction in compat_iret() [Andrew Cooper]
  • bcfa8d6: gnttab: add missing version check to GNTTABOP_swap_grant_ref handling [Jan Beulich]
  • dc34ce4: QEMU_TAG update [Ian Jackson]
  • 5624637: QEMU_TAG update [Ian Jackson]
  • 2260598: x86: don't clear high 32 bits of RAX on sub-word guest I/O port reads [Jan Beulich]
  • 6cd44b0: x86_emulate: fix EFLAGS setting of CMPXCHG emulation [Eugene Korenevsky]
  • 21a06bf: x86/efi: reserve SMBIOS table region when EFI booting [Ross Lagerwall]
  • 718f183: x86: don't change affinity with interrupt unmasked [Jan Beulich]
  • cb296dd: x86_emulate: split the {reg,mem} union in struct operand [Tim Deegan]
  • 19ae8c1: VT-d: improve fault info logging [Jan Beulich]
  • 8f2d240: x86/MSI: fix error handling [Jan Beulich]
  • ce516e8: LZ4 : fix the data abort issue [JeHyeon Yeon]
  • 1af1095: hvmloader: don't treat ROM BAR like other BARs [Jan Beulich]
  • 5fea6a3: QEMU_UPSTREAM_REVISION = master again [Stefano Stabellini]
  • 5365c7b: domctl/sysctl: don't leak hypervisor stack to toolstacks [Andrew Cooper]
  • 6b09a29: domctl: don't allow a toolstack domain to call domain_pause() on itself [Andrew Cooper]
  • 518ae14: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) [Konrad Rzeszutek Wilk]
  • 491b55d: QEMU_TAG update [Ian Jackson]
  • fc6fe18: x86: don't apply reboot quirks if reboot set by user [Ross Lagerwall]
  • 77da6c2: Revert "cpupools: update domU's node-affinity on the cpupool_unassign_cpu() path" [Jan Beulich]
  • 42b446e: x86/EFI: allow reboot= overrides when running under EFI [Konrad Rzeszutek Wilk]
  • 21a97a7: EFI: fix getting EFI variable list on some systems [Ross Lagerwall]
  • b39e48d: VT-d: print_vtd_entries() should cope with superpages [Jan Beulich]
  • 4a49a29: honor MEMF_no_refcount in alloc_heap_pages() [Jan Beulich]
  • c0577ae: update Xen version to 4.4.3-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • 30c002b: ide: Clear DRQ after handling all expected accesses [Kevin Wolf]
  • eb74574: ide: Check array bounds before writing to io_buffer (CVE-2015-5154) [Kevin Wolf]
  • fd5c041: pcnet: force the buffer access to be in bounds during tx [Petr Matousek]
  • 8d15b64: pcnet: fix Negative array index read [Gonglei]
  • 5fabc18: xen/pt: unknown PCI config space fields should be read-only [Jan Beulich]
  • 755f99f: xen/pt: add a few PCI config space field descriptions [Jan Beulich]
  • 5c74b77: xen/pt: mark reserved bits in PCI config space fields [Jan Beulich]
  • 65e39c8: xen/pt: mark all PCIe capability bits read-only [Jan Beulich]
  • dd37ad7: xen/pt: split out calculation of throughable mask in PCI config space handling [Jan Beulich]
  • 903ee00: xen/pt: correctly handle PM status bit [Jan Beulich]
  • cdad723: xen/pt: consolidate PM capability emu_mask [Jan Beulich]
  • 2736dd5: xen/MSI: don't open-code pass-through of enable bit modifications [Jan Beulich]
  • 6d7cdb1: xen/MSI-X: disable logging by default [Jan Beulich]
  • 1e2a2be: xen: don't allow guest to control MSI mask register [Jan Beulich]
  • b0101be: xen: properly gate host writes of modified PCI CFG contents [Jan Beulich]
  • c8c6ba0: fdc: force the fifo access to be in bounds of the allocated buffer [Petr Matousek]
  • a03c5a7: xen: limit guest control of PCI command register [Jan Beulich]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check http://xenbits.xen.org/gitweb/?p=staging/qemu-upstream-4.4-testing.git;a=shortlog (between tags qemu-xen-4.4.2 and qemu-xen-4.4.3).

The fixes listed above also include security fixes for XSA-125 to XSA-139. The fix for XSA-140 has been applied to qemu-upstream, but has not been applied to qemu-traditional. See http://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.4 stable series to update to this latest point release.

Xen Project 4.4.4

We are pleased to announce the release of Xen 4.4.4. This is available immediately from its git repository 

http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4 (tag RELEASE-4.4.4) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • a611ed5: update Xen version to 4.4.4 [Jan Beulich]
  • 425f7f7: x86/vmx: Fix injection of #DB traps following XSA-156 [Andrew Cooper]
  • f8aad02: x86/VMX: prevent INVVPID failure due to non-canonical guest address [Jan Beulich]
  • 12fe363: x86/mm: PV superpage handling lacks sanity checks [Jan Beulich]
  • 6d2c41d: Config.mk: update OVMF changeset [Wei Liu]
  • e003d42: blktap: Fix two 'maybe uninitialized' variables [Dario Faggioli]
  • dfc955e: QEMU_TAG update [Ian Jackson]
  • a436917: libxl: Fix building libxlu_cfg_y.y with bison 3.0 [Ed Swierk]
  • 4df657b: libxl: Rerun bison and flex [Ian Jackson]
  • fd4db04: QEMU_TAG update [Ian Jackson]
  • 4dacb5d: x86/HVM: avoid reading ioreq state more than once [Jan Beulich]
  • 52a5c0b: x86: don't leak ST(n)/XMMn values to domains first using them [Jan Beulich]
  • d0b73c9: x86/time: fix domain type check in tsc_set_info() [Haozhong Zhang]
  • c3049fa: evtchn: don't reuse ports that are still "busy" [David Vrabel]
  • 2f287a7: x86/boot: check for not allowed sections before linking [Daniel Kiper]
  • f089991: x86/vPMU: document as unsupported [Jan Beulich]
  • f70eaf9: VMX: fix/adjust trap injection [Jan Beulich]
  • 52f7217: sched: fix locking for insert_vcpu() in credit1 and RTDS [Dario Faggioli]
  • 6e2cca2: x86/HVM: don't inject #DB with error code [Jan Beulich]
  • 1b6738a: x86/vmx: improvements to vmentry failure handling [Andrew Cooper]
  • ee4d573: x86/PoD: Make p2m_pod_empty_cache() restartable [Andrew Cooper]
  • dff1010: x86/NUMA: fix SRAT table processor entry parsing and consumption [Jan Beulich]
  • cc28516: x86: hide MWAITX from PV domains [Jan Beulich]
  • 1db34a4: VT-d: don't suppress invalidation address write when it is zero [Jan Beulich]
  • 8fc45c1: memory: fix XSA-158 fix [Jan Beulich]
  • 5202998: QEMU_TAG update [Ian Jackson]
  • 62dc4c1: libxl: Fix bootloader-related virtual memory leak on pv build failure [Ian Jackson]
  • 2432628: memory: fix XENMEM_exchange error handling [Jan Beulich]
  • dcbb31d: memory: split and tighten maximum order permitted in memops [Jan Beulich]
  • 602506b: Config: Switch to unified qemu trees. [Ian Campbell]
  • 26b09fa: x86/HVM: always intercept #AC and #DB [Jan Beulich]
  • 73b70e3: libxl: adjust PoD target by memory fudge, too [Ian Jackson]
  • 0613780: x86: rate-limit logging in do_xen{oprof,pmu}_op() [Jan Beulich]
  • 76782e0: xenoprof: free domain's vcpu array [Jan Beulich]
  • 3638ff0: x86/PoD: Eager sweep for zeroed pages [Andrew Cooper]
  • 63c4744: free domain's vcpu array [Jan Beulich]
  • 477bc9b: xen: common: Use unbounded array for symbols_offset. [Ian Campbell]
  • a6646a5: x86: guard against undue super page PTE creation [Jan Beulich]
  • d889704: arm: handle races between relinquish_memory and free_domheap_pages [Ian Campbell]
  • e6e24d7: arm: rate-limit logging from unimplemented PHYSDEVOP and HVMOP. [Ian Campbell]
  • 16486fc: arm: Support hypercall_create_continuation for multicall [Julien Grall]
  • e321898: docs: xl.cfg: permissive option is not PV only. [Ian Campbell]
  • de3e45c: tools: libxl: allow permissive qemu-upstream pci passthrough. [Ian Campbell]
  • 7b161be: tools/console: xenconsole tolerate tty errors [Ian Jackson]
  • 5c94f96: x86/p2m-pt: correct condition of IOMMU mapping updates [Jan Beulich]
  • 5967073: credit1: fix tickling when it happens from a remote pCPU [Dario Faggioli]
  • 03f29a8: x86/p2m-pt: ignore pt-share flag for shadow mode guests [Jan Beulich]
  • 7d17ce9: x86/p2m-pt: delay freeing of intermediate page tables [Jan Beulich]
  • 2327dad: vt-d: fix IM bit mask and unmask of Fault Event Control Register [Quan Xu]
  • 964150b: xen/xsm: Make p->policyvers be a local variable (ver) to shut up GCC 5.1.1 warnings. [Konrad Rzeszutek Wilk]
  • ef632a2: x86/sysctl: don't clobber memory if NCAPINTS > ARRAY_SIZE(pi->hw_cap) [Andrew Cooper]
  • 55d6263: x86/MSI: fail if no hardware support [Jan Beulich]
  • c4af95f: x86/p2m: fix mismatched unlock [Jan Beulich]
  • fbb3881: x86/hvm: fix saved pmtimer and hpet values [Kouya Shimura]
  • 4d99a76: libxl: handle read-only drives with qemu-xen [Stefano Stabellini]
  • fe66a76: libxl: Increase device model startup timeout to 1min. [Anthony PERARD]
  • 213e243: xl: correct handling of extra_config in main_cpupoolcreate [Wei Liu]
  • 515d2e3: QEMU_TAG update [Ian Jackson]
  • dbded55: x86/NUMA: make init_node_heap() respect Xen heap limit [Jan Beulich]
  • e554ae4: mm: populate_physmap: validate correctly the gfn for direct mapped domain [Julien Grall]
  • e19042f: x86/mm: Make {hap, shadow}_teardown() preemptible [Anshul Makkar]
  • cfb5d20: x86/NUMA: don't account hotplug regions [Jan Beulich]
  • 8bea719: x86/NUMA: fix setup_node() [Jan Beulich]
  • 181ebad: IOMMU: skip domains without page tables when dumping [Jan Beulich]
  • 9a00f96: x86/IO-APIC: don't create pIRQ mapping from masked RTE [Jan Beulich]
  • 6657f1b: x86, amd_ucode: skip microcode updates for final levels [Aravind Gopalakrishnan]
  • 23c1322: x86/gdt: Drop write-only, xalloc()'d array from set_gdt() [Andrew Cooper]
  • ff9758b: Config.mk: update in-tree OVMF changeset [Wei Liu]
  • 339f574: xen/arm: mm: Do not dump the p2m when mapping a foreign gfn [Julien Grall]
  • 5b6f360: update Xen version to 4.4.4-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • 2bbe494: MSI-X: avoid array overrun upon MSI-X table writes [Jan Beulich]
  • c51f20b: blkif: Avoid double access to src->nr_segments [Stefano Stabellini]
  • bc468fe: xenfb: avoid reading twice the same fields from the shared page [Stefano Stabellini]
  • 6425f5d: net: pcnet: add check to validate receive data size(CVE-2015-7504) [Ian Jackson]
  • 5ae0569: vnc: limit client_cut_text msg payload size [Peter Lieven]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check http://xenbits.xen.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.4.3 and qemu-xen-4.4.4).

The fixes listed above also include security fixes for XSA-141 to XSA-142, XSA-145 to XSA 153, partial fixes to XSA-155 (please check XSA-155 for all patches), and XSA-156 to XSA-169. Note that XSA-143, XSA-144 and XSA-154 refer to unused XSA numbers or XSA numbers that may be pre-disclosed in future. Also note that XSA-162 has only been applied to qemu-traditional, but has not yet been applied to qemu-upstream.

We recommend all users of the 4.4 stable series to update to this latest point release.