|Public release ||2016-05-23 17:09|
|Updated ||2016-05-23 17:09|
|Title ||Unrestricted qemu logging|
Filesadvisory-180.txt (signed advisory file)
-----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2014-3672 / XSA-180
Unrestricted qemu logging
When the libxl toolstack launches qemu for HVM guests, it pipes the
output of stderr to a file in /var/log/xen. This output is not
rate-limited in any way. The guest can easily cause qemu to print
messages to stderr, causing this file to become arbitrarily large.
The disk containing the logfile can be exausted, possibly causing a
All versions of Xen are affected.
Only x86 systems are affected; ARM systems are not affected.
Only systems running HVM guests are affected; systems running only PV
guests are not affected.
Both qemu-upstream and qemu-traditional are affected.
Running only PV guests will avoid this vulnerability.
This issue was discovered by Andrew Sorensen of leviathansecurity.com.
Applying the appropriate attached patch resolves this issue.
The patches adopt a simple and rather crude approach which is
effective at resolving the security issue in the context of a Xen
device model. They may not be appropriate for adoption upstream or in
xsa180-qemut.patch qemu-xen-traditional (all supported versions)
xsa180-qemuu.patch qemu-xen (upstream) Xen unstable
$ sha256sum xsa180*
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Xenproject.org Security Team