|Public release ||2015-10-29 11:59|
|Updated ||2015-10-29 11:59|
|Title ||x86: some pmu and profiling hypercalls log without rate limiting|
Filesadvisory-152.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2015-7971 / XSA-152
x86: some pmu and profiling hypercalls log without rate limiting
UPDATES IN VERSION 3
HYPERCALL_xenoprof_op and HYPERVISOR_xenpmu_op log some errors and
attempts at invalid operations.
These log messages are not rate-limited, even though they can be
triggered by guests.
A malicious guest could cause repeated logging to the hypervisor
console, leading to a Denial of Service attack.
Xen versions 3.2.x and later are affected. (The VPMU part of the
vulnerability is applicable only to Xen 4.6 and later.)
ARM systems are not affected. (The pmu hypercall is x86-specific, and
xenoprof is not supported on ARM.)
The problematic log messages are issued with priority Warning.
Therefore they can be rate limited by adding "loglvl=error/warning" to
the hypervisor command line or suppressed entirely by adding
On systems where the guest kernel is controlled by the host rather
than guest administrator, running only kernels which do not call these
hypercalls will also prevent untrusted guest users from exploiting
this issue. However untrusted guest administrators can still trigger
it unless further steps are taken to prevent them from loading code
into the kernel (e.g. by disabling loadable modules etc) or from using
other mechanisms which allow them to run code at kernel privilege.
This issue was discovered by Jan Beulich of SUSE.
Applying the appropriate attached patch resolves this issue.
xsa152-unstable.patch xen-unstable, Xen 4.6.x
xsa152-4.5.patch Xen 4.5.x, Xen 4.4.x, Xen 4.3.x
$ sha256sum xsa152*.patch
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team