Bug 1284933 (CVE-2015-8341, xsa160) - CVE-2015-8341 xen: libxl leak of PV kernel can cause OOM condition
Summary: CVE-2015-8341 xen: libxl leak of PV kernel can cause OOM condition
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2015-8341, xsa160
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1289568
Blocks: 1504025
TreeView+ depends on / blocked
 
Reported: 2015-11-24 13:43 UTC by Adam Mariš
Modified: 2021-06-02 06:29 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-12 06:07:33 UTC
Embargoed:


Attachments (Terms of Use)
xen-unstable (2.52 KB, patch)
2015-11-24 13:44 UTC, Adam Mariš
no flags Details | Diff
Xen 4.3.x, 4.4.x (2.48 KB, patch)
2015-11-24 13:45 UTC, Adam Mariš
no flags Details | Diff
Xen 4.5.x, 4.6.x (2.52 KB, patch)
2015-11-24 13:45 UTC, Adam Mariš
no flags Details | Diff

Description Adam Mariš 2015-11-24 13:43:19 UTC
When constructing a guest which is configured to use a PV bootloader which runs as a userspace process in the toolstack domain (e.g. pygrub) libxl creates a mapping of the files to be used as kernel and initial ramdisk when building the guest domain.

However if building the domain subsequently fails these mappings would not be released leading to a leak of virtual address space in the calling process, as well as preventing the recovery of the temporary disk files containing the kernel and initial ramdisk.

For toolstacks which manage multiple domains within the same process, an attacker who is able to repeatedly start a suitable domain (or many such domains) can cause an out-of-memory condition in the toolstack process, leading to a denial of service.

Under the same circumstances an attacker can also cause files to accumulate on the toolstack domain filesystem (usually under /var in dom0) used to temporarily store the kernel and initial ramdisk, perhaps leading to a denial of service against arbitrary other services using that filesystem.

Both ARM and x86 systems using a libxl based toolstack are potentially vulnerable. Only libxl-based toolstacks which manage multiple domains in the same process (such as `libvirt') are vulnerable. libxl-based toolstacks which manage only a single domain per process and which exit on failure to create a domain (such as `xl') are not vulnerable. Toolstacks not using libxl are not vulnerable to this issue. Only domains configured to use a PV bootloader in the toolstack domain (e.g. pygrub) will expose this issue. Domains configured to use pvgrub (a totally different program) are not vulnerable. x86 HVM domains are not vulnerable. Systems where the kernel and initial ramdisk are provided by the host administrator from files in domain 0 are not vulnerable. Xen versions 4.1.x and later are vulnerable.

Avoiding the use of the PV bootloader mechanisms which run as processes in the toolstack domain (pygrub), either by providing kernels directly from the toolstack domain or using a PV bootloader which runs in guest context (such as pvgrub) will prevent exposure of this issue.

Comment 1 Adam Mariš 2015-11-24 13:44:38 UTC
Created attachment 1098202 [details]
xen-unstable

Comment 2 Adam Mariš 2015-11-24 13:45:12 UTC
Created attachment 1098203 [details]
Xen 4.3.x, 4.4.x

Comment 3 Adam Mariš 2015-11-24 13:45:34 UTC
Created attachment 1098204 [details]
Xen 4.5.x, 4.6.x

Comment 5 Martin Prpič 2015-12-08 12:30:07 UTC
External References:

http://xenbits.xen.org/xsa/advisory-160.html

Comment 6 Martin Prpič 2015-12-08 12:42:39 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1289568]

Comment 7 Fedora Update System 2015-12-17 07:26:46 UTC
xen-4.5.2-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-12-20 00:22:58 UTC
xen-4.5.2-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.