All of lore.kernel.org
 help / color / mirror / Atom feed
* Xen Security Advisory 169 - x86: unintentional logging upon guest changing callback method
@ 2015-12-21 11:17 Xen.org security team
  0 siblings, 0 replies; only message in thread
From: Xen.org security team @ 2015-12-21 11:17 UTC (permalink / raw)
  To: xen-announce, xen-devel, xen-users, oss-security; +Cc: Xen.org security team

[-- Attachment #1: Type: text/plain, Size: 2685 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    Xen Security Advisory XSA-169

    x86: unintentional logging upon guest changing callback method

ISSUE DESCRIPTION
=================

HYPERVISOR_hvm_op sub-op HVMOP_set_param's HVM_PARAM_CALLBACK_IRQ
operation intends to log the new callback method in debug builds only.
The full message, however, is split into two parts, the second one of
which didn't get suppressed on non-debug builds as would have been
intended.

These log messages are not rate-limited and can be triggered by guests.

IMPACT
======

A malicious guest could cause repeated logging to the hypervisor
console, leading to a Denial of Service attack.

VULNERABLE SYSTEMS
==================

Xen version 4.6 is affected.  Older Xen versions are unaffected.

ARM systems are not affected.

Only x86 HVM guests can expose this vulnerability.

MITIGATION
==========

Running only PV guests will avoid this issue.

The problematic log messages are issued with priority Warning.
Therefore they can be rate limited by adding "loglvl=error/warning" to
the hypervisor command line or suppressed entirely by adding
"loglvl=error".

On systems where the guest kernel is controlled by the host rather
than guest administrator, running only kernels which do not excessively
invoke this operation will also prevent untrusted guest users from
exploiting this issue. However untrusted guest administrators can still
trigger it unless further steps are taken to prevent them from loading
code into the kernel (e.g. by disabling loadable modules etc) or from
using other mechanisms which allow them to run code at kernel privilege.

NOTE REGARDING LACK OF EMBARGO
==============================

The fix for this bug was publicly posted on xen-devel, before it was
appreciated that there was a security problem.

CREDITS
=======

This issue was discovered as a bug by Malcolm Crossley of Citrix; the
security impact was recognised by Jan Beulich of SuSE.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa169.patch        xen-unstable, Xen 4.6.x

$ sha256sum xsa169*
b818922880313cdbc12ea68ae757da5eabed9b3c9e1f8acefe1653683545ccbe  xsa169.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJWd96OAAoJEIP+FMlX6CvZm18H/Rtth2qo/064hqkTrU8S2/Oo
vbQQxPdRaOZ4T7pGQf58JAVTNuY/nZB56h+t5N0SBV4O1+PvKm/2yY86HyJ1D0Ia
98XmxDuxKQU00LSHy3Jtri+/Nu23bdOsD4fk8Fd62J3EJnbWe8nuSy+Pns5ju/8X
HxWkbw5Ek4UR5MGU/UJLNjUGR+VY8WwqNJvtXGm36DOpZw86GlPN87QeubhhXeog
nWt/a6aYRUVy05auItY5oHNIKQiJicBdqIxdxss1E43tQjHi1RwAAiYLrbImGZOu
etqJaaab+7vJqqvQgHJqlF/vLSvuaol/CrKPurfwFnKxn2x4KIYG2xtWrRa3Y5w=
=hg+4
-----END PGP SIGNATURE-----

[-- Attachment #2: xsa169.patch --]
[-- Type: application/octet-stream, Size: 1082 bytes --]

x86: make debug output consistent in hvm_set_callback_via

The unconditional printks in the switch statement of the
hvm_set_callback_via function results in Xen log spam in non debug
versions of Xen. The printks are for debug output only so conditionally
compile the entire switch statement on debug versions of Xen only.

This is XSA-169.

Signed-off-by: Malcolm Crossley <malcolm.crossley@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

--- a/xen/arch/x86/hvm/irq.c
+++ b/xen/arch/x86/hvm/irq.c
@@ -386,7 +386,8 @@ void hvm_set_callback_via(struct domain
 
     spin_unlock(&d->arch.hvm_domain.irq_lock);
 
-    dprintk(XENLOG_G_INFO, "Dom%u callback via changed to ", d->domain_id);
+#ifndef NDEBUG
+    printk(XENLOG_G_INFO "Dom%u callback via changed to ", d->domain_id);
     switch ( via_type )
     {
     case HVMIRQ_callback_gsi:
@@ -402,6 +403,7 @@ void hvm_set_callback_via(struct domain
         printk("None\n");
         break;
     }
+#endif
 }
 
 struct hvm_intack hvm_vcpu_has_pending_irq(struct vcpu *v)

[-- Attachment #3: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2015-12-21 11:17 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-21 11:17 Xen Security Advisory 169 - x86: unintentional logging upon guest changing callback method Xen.org security team

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.