back to article Xen says new patch is 'simple and crude' and warns against using it

The Xen project has revealed a new bug, XSA-180, but warns its patch for the problem is itself problematic. The bug means that “When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen.” “This output is not rate-limited in any way. The guest can easily cause qemu to print …

  1. storner


    Any admin worth his pay puts logfiles on a separate filesystem. Filling that should not cause a DoS of the whole system, only loss of logging (which may be unfortunate, but it will also point a thick finger at which of your VM's has been pwned).

    1. Lee D

      Re: Bah!

      Surely any admin worth his pay would be pushing logging off to a dedicated syslog server anyway?

  2. gwd


    What the warning means is that the patch is targeted *only* for deployment within a Xen system; and 1) probably will not be acceptable as-is in the core qemu project ("may not be appropriate for adoption upstream"), and 2) may not actually fix the problem if you're using QEMU outside of a normal Xen system -- for instance, in KVM, or in your own virtualization system ("...or in other contexts").

    In other words, this patch is a hack -- a safe and effective one for Xen, but not a long-term solution. Normally we would always try to provide a proper fix, but in this case a proper fix would require changes to the interface, which can't be done effectively in a security update.

    The text you quote is a bit unclear; it's difficult sometimes to get every detail just right when you're under time pressure and focusing on trying to get everything else right.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like