xl command line config handling stack overflow

ID XSA-137
Type xen
Reporter Xen Project
Modified 2015-07-07T12:25:00



The xl command line utility mishandles long configuration values when passed as command line arguments, with a buffer overrun.


Systems built on top of xl which pass laundered or checked (but otherwise untrusted) configuration values onto xl's command line, without restricting their length, are vulnerable. We are not presently aware of any publicly distributed production software which exposes the xl vulnerability. However it is sufficiently simple to create such an arrangement that it might be done locally in an attempt to grant partial management access to particular domains. Systems using the libxl library directly, without using xl, are not vulnerable. Systems using toolstacks other than xl are not vulnerable. Systems where only fully trusted input is ever presented to the xl command line are not vulnerable. The vulnerability exists on x86 and ARM. The vulnerability was introduced in Xen 4.1 and affects all subsequent Xen releases.


A semi-trusted guest administrator or controller, who is intended to be able to partially control the configuration settings for a domain, can escalate their privileges to that of the whole host.