CVE-2025-58149

// CVE-2025-58149 PoC - Xen libxl PCI 64-bit BAR Permission Leak // This PoC demonstrates the concept of the permission leak after PCI device detachment // Note: Actual exploitation requires specific PCI device with 64-bit BAR #include <stdio.h> #include <stdlib.h> #include <stdint.h> /* Simulated PCI BAR structure */ typedef struct { uint64_t bar_address; uint32_t bar_size; int is_64bit; int permissions_valid; } pci_bar_t; /* Simulated domain state */ typedef struct { int domain_id; pci_bar_t* assigned_devices; int device_count; } xen_domain_t; /* Vulnerable detach function - missing permission cleanup for 64-bit BARs */ void vulnerable_libxl_pci_detach(xen_domain_t* domain, int device_id) { printf("[*] Detaching PCI device %d from domain %d\n", device_id, domain->domain_id); /* Current buggy implementation - only clears basic assignment */ domain->assigned_devices[device_id].bar_address = 0; domain->assigned_devices[device_id].bar_size = 0; /* BUG: Missing cleanup for 64-bit BAR permissions */ /* Should clear: domain->assigned_devices[device_id].permissions_valid = 0; */ printf("[!] Device detached but 64-bit BAR permissions may still be valid\n"); } /* Exploitation attempt - PV domain can remap leaked memory */ void exploit_pv_domain_remap(xen_domain_t* domain) { printf("[*] PV Domain attempting to access leaked 64-bit BAR memory...\n"); /* Check if permissions are still valid despite device detachment */ for (int i = 0; i < domain->device_count; i++) { if (domain->assigned_devices[i].permissions_valid && domain->assigned_devices[i].is_64bit) { printf("[!] Found leaked 64-bit BAR at 0x%lx\n", domain->assigned_devices[i].bar_address); printf("[!] Domain %d can map this memory into page tables\n", domain->domain_id); /* In real scenario: map the memory into domain's page tables */ } } } int main() { printf("=== CVE-2025-58149 PoC Demonstration ===\n\n"); /* Simulate domain with assigned PCI device having 64-bit BAR */ xen_domain_t* domain = malloc(sizeof(xen_domain_t)); domain->domain_id = 1; domain->device_count = 1; domain->assigned_devices = malloc(sizeof(pci_bar_t) * 1); /* Setup device with 64-bit BAR */ domain->assigned_devices[0].bar_address = 0x4000000000ULL; domain->assigned_devices[0].bar_size = 0x10000000; domain->assigned_devices[0].is_64bit = 1; domain->assigned_devices[0].permissions_valid = 1; printf("[*] Initial state: PCI device with 64-bit BAR assigned\n"); printf("[*] BAR Address: 0x%lx, Size: 0x%x\n\n", domain->assigned_devices[0].bar_address, domain->assigned_devices[0].bar_size); /* Trigger vulnerable detach */ vulnerable_libxl_pci_detach(domain, 0); printf("\n[*] Checking domain state after detach...\n"); /* Exploitation: PV domain can still access the leaked memory */ exploit_pv_domain_remap(domain); free(domain->assigned_devices); free(domain); printf("\n[*] PoC demonstration complete\n"); return 0; }

{"cve": {"id": "CVE-2025-58149", "sourceIdentifier": "[email protected]", "published": "2025-10-31T12:15:35.143", "lastModified": "2026-01-14T22:04:31.723", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When passing through PCI devices, the detach logic in libxl won't remove\naccess permissions to any 64bit memory BARs the device might have. As a\nresult a domain can still have access any 64bit memory BAR when such\ndevice is no longer assigned to the domain.\n\nFor PV domains the permission leak allows the domain itself to map the memory\nin the page-tables. For HVM it would require a compromised device model or\nstubdomain to map the leaked memory into the HVM domain p2m."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-672"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:xen:xen:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "matchCriteriaId": "3E095C1C-0DC6-4380-9333-477B13273E9E"}]}]}], "references": [{"url": "https://xenbits.xenproject.org/xsa/advisory-476.html", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/24/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}, {"url": "http://xenbits.xen.org/xsa/advisory-476.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"]}]}}