Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 569554 (CVE-2015-8615) - app-emulation/xen: x86: unintentional logging upon guest changing callback method (XSA-169)(CVE-2015-8615)
Summary: app-emulation/xen: x86: unintentional logging upon guest changing callback me...
Status: RESOLVED FIXED
Alias: CVE-2015-8615
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://xenbits.xen.org/xsa/advisory-1...
Whiteboard: ~3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-24 01:01 UTC by Yury German
Modified: 2016-02-25 05:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
xsa169.patch (xsa169.patch,1.06 KB, patch)
2015-12-24 01:01 UTC, Yury German 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2015-12-24 01:01:32 UTC 
Created attachment 420588 [details, diff]
xsa169.patch

Xen Security Advisory CVE-2015-8615 / XSA-169
                              version 2

    x86: unintentional logging upon guest changing callback method

UPDATES IN VERSION 2
====================

CVE assigned.

ISSUE DESCRIPTION
=================

HYPERVISOR_hvm_op sub-op HVMOP_set_param's HVM_PARAM_CALLBACK_IRQ
operation intends to log the new callback method in debug builds only.
The full message, however, is split into two parts, the second one of
which didn't get suppressed on non-debug builds as would have been
intended.

These log messages are not rate-limited and can be triggered by guests.

IMPACT
======

A malicious guest could cause repeated logging to the hypervisor
console, leading to a Denial of Service attack.

VULNERABLE SYSTEMS
==================

Xen version 4.6 is affected.  Older Xen versions are unaffected.

ARM systems are not affected.

Only x86 HVM guests can expose this vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

The problematic log messages are issued with priority Warning.
Therefore they can be rate limited by adding "loglvl=error/warning" to
the hypervisor command line or suppressed entirely by adding
"loglvl=error".

On systems where the guest kernel is controlled by the host rather
than guest administrator, running only kernels which do not excessively
invoke this operation will also prevent untrusted guest users from
exploiting this issue. However untrusted guest administrators can still
trigger it unless further steps are taken to prevent them from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.

NOTE REGARDING LACK OF EMBARGO
==============================

The fix for this bug was publicly posted on xen-devel, before it was
appreciated that there was a security problem.

CREDITS
=======

This issue was discovered as a bug by Malcolm Crossley of Citrix; the
security impact was recognised by Jan Beulich of SuSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa169.patch        xen-unstable, Xen 4.6.x

$ sha256sum xsa169*
b818922880313cdbc12ea68ae757da5eabed9b3c9e1f8acefe1653683545ccbe  xsa169.patch
$
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2016-01-03 00:21:49 UTC 
Xen version 4.6 is affected.  Older Xen versions are unaffected.
-> revbump to xen-4.6.0-r5

patch XSA-169 added

commit 90cee9f2f3a8d12c68523e814f4fd4ab79311683
Author: Ian Delaney <idella4@gentoo.org>
Date:   Sun Jan 3 08:19:36 2016 +0800

    app-emulation/xen: revbump to vn. 4.6.0-r5
    
    wrt security patch in the gentoo bug
    
    Gentoo bug: #569554

4.6 is not yet stabled but is due for it now. Therefore no stablising to follow here
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 05:34:58 UTC 
Maintainer(s), Thank you for your work.
Closing noglsa.