CVE-2020-11742: 
NixOS vulnerability analysis and mitigation

An issue was discovered in Xen through 4.13.x (CVE-2020-11742) related to grant table operations handling. The vulnerability was discovered by Pawel Wieczorkiewicz of Amazon and Jürgen Groß of SUSE and was publicly disclosed on April 14, 2020. The issue affects all versions of Xen systems that handle grant table operations (Xen Advisory).

The vulnerability stems from a fix for CVE-2017-12135 which introduced a path through grant copy handling where success may be returned to the caller without any action taken. Specifically, the status fields of individual operations are left uninitialized, which can result in errant behavior in the caller of GNTTABOP_copy. The issue has been assigned a CVSS v3.1 Base Score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

A buggy or malicious guest can construct its grant table in such a way that when a backend domain attempts to copy a grant, it hits the incorrect exit path. This returns success to the caller without performing any action, which may result in system crashes or other incorrect behavior (Xen Advisory).

The issue has been patched in various distributions including Fedora, Debian, and openSUSE. For example, Debian fixed the issue in version 4.11.4+24-gddaaccbbab-1~deb10u1 (Debian Advisory), while openSUSE addressed it in version 4.12.2_04-lp151.2.15.1 (OpenSUSE Advisory). The primary mitigation is to apply the security patches provided by the vendor.