Date: Mon, 21 Dec 2015 11:17:36 +0000 From: Xen.org security team <security@....org> To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org, xen-users@...ts.xen.org, oss-security@...ts.openwall.com CC: Xen.org security team <security@....org> Subject: Xen Security Advisory 169 - x86: unintentional logging upon guest changing callback method -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-169 x86: unintentional logging upon guest changing callback method ISSUE DESCRIPTION ================= HYPERVISOR_hvm_op sub-op HVMOP_set_param's HVM_PARAM_CALLBACK_IRQ operation intends to log the new callback method in debug builds only. The full message, however, is split into two parts, the second one of which didn't get suppressed on non-debug builds as would have been intended. These log messages are not rate-limited and can be triggered by guests. IMPACT ====== A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack. VULNERABLE SYSTEMS ================== Xen version 4.6 is affected. Older Xen versions are unaffected. ARM systems are not affected. Only x86 HVM guests can expose this vulnerability. MITIGATION ========== Running only PV guests will avoid this issue. The problematic log messages are issued with priority Warning. Therefore they can be rate limited by adding "loglvl=error/warning" to the hypervisor command line or suppressed entirely by adding "loglvl=error". On systems where the guest kernel is controlled by the host rather than guest administrator, running only kernels which do not excessively invoke this operation will also prevent untrusted guest users from exploiting this issue. However untrusted guest administrators can still trigger it unless further steps are taken to prevent them from loading code into the kernel (e.g. by disabling loadable modules etc) or from using other mechanisms which allow them to run code at kernel privilege. NOTE REGARDING LACK OF EMBARGO ============================== The fix for this bug was publicly posted on xen-devel, before it was appreciated that there was a security problem. CREDITS ======= This issue was discovered as a bug by Malcolm Crossley of Citrix; the security impact was recognised by Jan Beulich of SuSE. RESOLUTION ========== Applying the attached patch resolves this issue. xsa169.patch xen-unstable, Xen 4.6.x $ sha256sum xsa169* b818922880313cdbc12ea68ae757da5eabed9b3c9e1f8acefe1653683545ccbe xsa169.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJWd96OAAoJEIP+FMlX6CvZm18H/Rtth2qo/064hqkTrU8S2/Oo vbQQxPdRaOZ4T7pGQf58JAVTNuY/nZB56h+t5N0SBV4O1+PvKm/2yY86HyJ1D0Ia 98XmxDuxKQU00LSHy3Jtri+/Nu23bdOsD4fk8Fd62J3EJnbWe8nuSy+Pns5ju/8X HxWkbw5Ek4UR5MGU/UJLNjUGR+VY8WwqNJvtXGm36DOpZw86GlPN87QeubhhXeog nWt/a6aYRUVy05auItY5oHNIKQiJicBdqIxdxss1E43tQjHi1RwAAiYLrbImGZOu etqJaaab+7vJqqvQgHJqlF/vLSvuaol/CrKPurfwFnKxn2x4KIYG2xtWrRa3Y5w= =hg+4 -----END PGP SIGNATURE----- Download attachment "xsa169.patch" of type "application/octet-stream" (1082 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.