Bug 1187153 (CVE-2015-1563)

Summary: CVE-2015-1563 xen: vgic: incorrect rate limiting of guest triggered logging on ARM architectures (XSA-118)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: drjones, jforbes, kraxel, m.a.young, mrezanin, pbonzini, rkrcmar, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:38:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
xsa118-4.4.patch
none
xsa118-4.5-unstable-1.patch
none
xsa118-4.5-unstable-2.patch none

Description Vasyl Kaigorodov 2015-01-29 12:31:21 UTC 
ISSUE DESCRIPTION
=================

On ARM systems the code which deals with virtualising the GIC
distributor would, under various circumstances, log messages on a
guest accessible code path without appropriate rate limiting.

IMPACT
======

A malicious guest could cause repeated logging to the hypervisor
console, leading to a Denial of Service attack.

VULNERABLE SYSTEMS
==================

Xen 4.4 and later systems running on ARM hardware are vulnerable.

x86 systems are not affected.

MITIGATION
==========

The problematic log messages are issued with priority Warning.

Therefore they can be rate limited by adding "loglvl=error/warning" to the
hypervisor command line or suppressed entirely by adding "loglvl=error".

Applying the attached patch(es) resolves this issue.

Statement:

This issue did not affect the versions of xen as shipped with Red Hat Enterprise Linux 5.

Acknowledgments:

Red Hat would like to thank the Xen for reporting this issue. Upstream acknowledges Julien Grall as the original reporter.
Comment 1 Vasyl Kaigorodov 2015-01-29 12:33:16 UTC 
Created attachment 985562 [details]
xsa118-4.4.patch
Comment 2 Vasyl Kaigorodov 2015-01-29 12:33:20 UTC 
Created attachment 985563 [details]
xsa118-4.5-unstable-1.patch
Comment 3 Vasyl Kaigorodov 2015-01-29 12:33:24 UTC 
Created attachment 985564 [details]
xsa118-4.5-unstable-2.patch
Comment 4 Michael Young 2015-02-03 20:05:43 UTC 
Fedora isn't affected as we haven't yet built xen on ARM. The patches have however been applied to xen-4.5.0-1.fc22 and the other Fedora versions will have patched code when xen-4.4.2 and xen-4.3.4 (currently both at -rc1) are released.
Comment 5 Vasyl Kaigorodov 2015-02-10 13:35:46 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2015-1563 to
the following vulnerability:

Name: CVE-2015-1563
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1563
Assigned: 20150208
Reference: http://xenbits.xen.org/xsa/advisory-118.html

The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows
local guests to cause a denial of service by causing a large number
messages to be logged.
Comment 6 Fedora Update System 2015-03-23 07:10:13 UTC 
xen-4.4.1-16.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.