The Xen project has revealed a new bug, XSA-180, but warns its patch for the problem is itself problematic.
The bug means that “When the libxl toolstack launches qemu for HVM guests, it pipes the output of stderr to a file in /var/log/xen.”
“This output is not rate-limited in any way. The guest can easily cause qemu to print messages to stderr, causing this file to become arbitrarily large.”
So large that “The disk containing the logfile can be exausted [sic], possibly causing a denial-of-service (DoS).”
The problem only afflicts Xen on x86 and can be avoided by running only paravirtualised guests. Or there's a patch.
But the Xen project has put a stern caveat into its release notes, warning that the patches “adopt a simple and rather crude approach which is effective at resolving the security issue in the context of a Xen device model.”
And here's the nasty part: “ They may not be appropriate for adoption upstream or in other contexts.”
To The Register's eye, that's a warning that the patch needs to be handled with care. Which isn't the way patches are usually labelled.
Good luck with this one, Xen users. ®