x86: unintentional logging upon guest changing callback method

2015-12-21T11:12:00
ID XSA-169
Type xen
Reporter Xen Project
Modified 2015-12-22T18:46:00

Description

ISSUE DESCRIPTION

HYPERVISOR_hvm_op sub-op HVMOP_set_param's HVM_PARAM_CALLBACK_IRQ operation intends to log the new callback method in debug builds only. The full message, however, is split into two parts, the second one of which didn't get suppressed on non-debug builds as would have been intended. These log messages are not rate-limited and can be triggered by guests.

IMPACT

A malicious guest could cause repeated logging to the hypervisor console, leading to a Denial of Service attack.

VULNERABLE SYSTEMS

Xen version 4.6 is affected. Older Xen versions are unaffected. ARM systems are not affected. Only x86 HVM guests can expose this vulnerability.