OSEC-2022-01

See a problem?

Import Source

https://github.com/ocaml/security-advisories/blob/generated-osv/2022/OSEC-2022-01.json

JSON Data

https://api.osv.dev/v1/vulns/OSEC-2022-01

Aliases

CVE-2022-46770

Published

2022-12-07T00:00:00Z

Modified

2026-02-18T09:30:00Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Infinite loop in console output on xen

Details

Background

MirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Output on the console is performed via the Xen console protocol. Problem Description

Since MirageOS moved from PV mode to PVH, and thus replacing Mini-OS with solo5, there was an issue in the solo5 code which failed to properly account the already written bytes on the console. This only occurs if the output to be performed does not fit in a single output buffer (2048 bytes on Xen).

The code in question set the number of bytes written to the last written count (written = outputsome(buf)), instead of increasing the written count (written += outputsome(buf)).

Impact

Console output may lead to an infinite loop, endlessly printing data onto the console.

A prominent unikernel is the Qubes MirageOS firewall, which prints some input packets onto the console. This can lead to a remote denial of service vulnerability, since any client could send a malformed and sufficiently big network packet.

Solution

The solution is to fix the console output code in solo5, as done in https://github.com/Solo5/solo5/pull/538/commits/099be86f0a17a619fcadbb970bb9e511d28d3cd8

Timeline

2022-12-04: initial report by Krzysztof Burghardt https://github.com/mirage/qubes-mirage-firewall/issues/166
2022-12-04: investigation by Hannes Mehnert and Pierre Alain
2022-12-05: initial fix by Pierre Alain https://github.com/Solo5/solo5/pull/538
2022-12-05: review of fix by Thomas Leonard
2022-12-07: release of fixed packages and security advisory

Database specific

{
    "cwe": [
        "CWE-835"
    ],
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2022/OSEC-2022-01.json",
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2022/OSEC-2022-01.md"
}

References

Credits

- Krzysztof Burghardt - REPORTER
- Pierre Alain - REMEDIATION_DEVELOPER
- Thomas Leonard - REMEDIATION_REVIEWER
- Hannes Mehnert - REMEDIATION_REVIEWER

Affected packages

opam / solo5

Package

Name: solo5
Purl: pkg:opam/solo5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.6.6

Fixed

0.7.5

Type: GIT
Repo: https://github.com/solo5/solo5
Events: Fixed

099be86f0a17a619fcadbb970bb9e511d28d3cd8

Introduced

f4b47d11983bf8f32aaf4ec496a045c35e4e582f

Affected versions

0.*

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

Ecosystem specific

{
    "opam_constraint": "solo5 {>= \"0.6.6\" & < \"0.7.5\"}"
}

Database specific

source

"https://github.com/ocaml/security-advisories/blob/generated-osv/2022/OSEC-2022-01.json"