Vigil@nce - Xen: denial of service via HYPERVISOR_hvm_op
January 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker in a HVM guest system can use several times
HYPERVISOR_hvm_op() on Xen, in order to trigger a denial of
service on the host system.
Impacted products: Xen.
Severity: 1/4.
Creation date: 21/12/2015.
DESCRIPTION OF THE VULNERABILITY
The Xen product implements the hypercall HYPERVISOR_hvm_op().
The HVMOP_set_param HVM_PARAM_CALLBACK_IRQ operation calls the
hvm_set_callback_via() function of the xen/arch/x86/hvm/irq.c
file, when the guest system is HVM. However, this function calls
dprintk() which uselessly logs an information.
A local attacker in a HVM guest system can therefore use several
times HYPERVISOR_hvm_op() on Xen, in order to trigger a denial of
service on the host system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-denial-of-service-via-HYPERVISOR-hvm-op-18569