Bug 1851474 (CVE-2020-15566) - CVE-2020-15566 xen: incorrect error handling in event channel port allocation leads to DoS (XSA-317)
Summary: CVE-2020-15566 xen: incorrect error handling in event channel port allocation...
Alias: CVE-2020-15566
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1854465
Blocks: 1851487
TreeView+ depends on / blocked
Reported: 2020-06-26 16:37 UTC by Dhananjay Arunesh
Modified: 2021-02-16 19:45 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Xen in the allocation of an event channel port. Under certain circumstances, a malicious guest user might be able to crash the host, resulting in a Denial of Service (DoS) condition.
Clone Of:
Last Closed: 2020-07-07 19:30:02 UTC

Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-06-26 16:37:39 UTC
When the administrator configured a guest to allow more than 1023 event channels, that guest may be able to crash the host. When Xen is out-of-memory, allocation of new event channels will result in crashing the host rather than reporting an error.

Comment 1 Mauro Matteo Cascella 2020-07-01 15:48:57 UTC

Name: the Xen project

Comment 2 Mauro Matteo Cascella 2020-07-06 14:26:46 UTC

Only Xen versions 4.10 and later are affected by this flaw. The default configuration, when guests are created with xl/libxl, is not vulnerable, because of the default event channel limit (see Mitigation).

Comment 3 Mauro Matteo Cascella 2020-07-06 14:26:48 UTC

The issue can be avoided by reducing the number of event channels available to the guest to no more than 1023.  For example, setting `max_event_channels=1023` in the xl domain configuration, or deleting any existing setting (since 1023 is the default for xl/libxl).

For ARM systems, any limit no more than 4095 is safe. For 64-bit x86 PV guests, any limit no more than 4095 is likewise safe if the host configuration prevents the guest administrator from substituting and running a 32-bit kernel (and thereby putting the guest into 32-bit PV mode).

Comment 4 Mauro Matteo Cascella 2020-07-07 14:03:01 UTC
External References:


Comment 5 Mauro Matteo Cascella 2020-07-07 14:03:22 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1854465]

Comment 6 Product Security DevOps Team 2020-07-07 19:30:02 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.