Bug 1851474 (CVE-2020-15566)

Summary: CVE-2020-15566 xen: incorrect error handling in event channel port allocation leads to DoS (XSA-317)
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, ailan, bhu, bmasney, brdeoliv, dhoward, drjones, dvlasenk, fhrbata, hkrzesin, imammedo, jforbes, jshortt, jstancek, knoel, m.a.young, mrezanin, nmurray, pbonzini, ptalbert, robinlee.sysu, rvrbovsk, security-response-team, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Xen in the allocation of an event channel port. Under certain circumstances, a malicious guest user might be able to crash the host, resulting in a Denial of Service (DoS) condition.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-07 19:30:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1854465    
Bug Blocks: 1851487    

Description Dhananjay Arunesh 2020-06-26 16:37:39 UTC
When the administrator configured a guest to allow more than 1023 event channels, that guest may be able to crash the host. When Xen is out-of-memory, allocation of new event channels will result in crashing the host rather than reporting an error.

Comment 1 Mauro Matteo Cascella 2020-07-01 15:48:57 UTC
Acknowledgments:

Name: the Xen project

Comment 2 Mauro Matteo Cascella 2020-07-06 14:26:46 UTC
Statement:

Only Xen versions 4.10 and later are affected by this flaw. The default configuration, when guests are created with xl/libxl, is not vulnerable, because of the default event channel limit (see Mitigation).

Comment 3 Mauro Matteo Cascella 2020-07-06 14:26:48 UTC
Mitigation:

The issue can be avoided by reducing the number of event channels available to the guest to no more than 1023.  For example, setting `max_event_channels=1023` in the xl domain configuration, or deleting any existing setting (since 1023 is the default for xl/libxl).

For ARM systems, any limit no more than 4095 is safe. For 64-bit x86 PV guests, any limit no more than 4095 is likewise safe if the host configuration prevents the guest administrator from substituting and running a 32-bit kernel (and thereby putting the guest into 32-bit PV mode).

Comment 4 Mauro Matteo Cascella 2020-07-07 14:03:01 UTC
External References:

https://xenbits.xen.org/xsa/advisory-317.html

Comment 5 Mauro Matteo Cascella 2020-07-07 14:03:22 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1854465]

Comment 6 Product Security DevOps Team 2020-07-07 19:30:02 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15566