Bug 1284933 (CVE-2015-8341, xsa160)

Summary: CVE-2015-8341 xen: libxl leak of PV kernel can cause OOM condition
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ailan, drjones, imammedo, knoel, mrezanin, osoukup, pbonzini, rkrcmar, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-12 06:07:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1289568    
Bug Blocks: 1504025    
Attachments:
Description Flags
xen-unstable
none
Xen 4.3.x, 4.4.x
none
Xen 4.5.x, 4.6.x none

Description Adam Mariš 2015-11-24 13:43:19 UTC
When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain (e.g. pygrub) libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain.

However if building the domain subsequently fails these mappings would not be released leading to a leak of virtual address space in the calling process, as well as preventing the recovery of the temporary disk files containing the kernel and initial ramdisk.

For toolstacks which manage multiple domains within the same process, an attacker who is able to repeatedly start a suitable domain (or many such domains) can cause an out-of-memory condition in the toolstack process, leading to a denial of service.

Under the same circumstances an attacker can also cause files to accumulate on the toolstack domain filesystem (usually under /var in dom0) used to temporarily store the kernel and initial ramdisk, perhaps leading to a denial of service against arbitrary other services using that filesystem.

Both ARM and x86 systems using a libxl based toolstack are potentially vulnerable. Only libxl-based toolstacks which manage multiple domains in the same process (such as `libvirt') are vulnerable. libxl-based toolstacks which manage only a single domain per process and which exit on failure to create a domain (such as `xl') are not vulnerable. Toolstacks not using libxl are not vulnerable to this issue. Only domains configured to use a PV bootloader in the toolstack domain (e.g. pygrub) will expose this issue. Domains configured to use pvgrub (a totally different program) are not vulnerable. x86 HVM domains are not vulnerable. Systems where the kernel and initial ramdisk are provided by the host administrator from files in domain 0 are not vulnerable. Xen versions 4.1.x and later are vulnerable.

Avoiding the use of the PV bootloader mechanisms which run as processes in the toolstack domain (pygrub), either by providing kernels directly from the toolstack domain or using a PV bootloader which runs in guest context (such as pvgrub) will prevent exposure of this issue.

Comment 1 Adam Mariš 2015-11-24 13:44:38 UTC
Created attachment 1098202 [details]
xen-unstable

Comment 2 Adam Mariš 2015-11-24 13:45:12 UTC
Created attachment 1098203 [details]
Xen 4.3.x, 4.4.x

Comment 3 Adam Mariš 2015-11-24 13:45:34 UTC
Created attachment 1098204 [details]
Xen 4.5.x, 4.6.x

Comment 5 Martin Prpič 2015-12-08 12:30:07 UTC
External References:

http://xenbits.xen.org/xsa/advisory-160.html

Comment 6 Martin Prpič 2015-12-08 12:42:39 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1289568]

Comment 7 Fedora Update System 2015-12-17 07:26:46 UTC
xen-4.5.2-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-12-20 00:22:58 UTC
xen-4.5.2-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.