osec-2022-01
Vulnerability from osv_ocaml
Background
MirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Output on the console is performed via the Xen console protocol. Problem Description
Since MirageOS moved from PV mode to PVH, and thus replacing Mini-OS with solo5, there was an issue in the solo5 code which failed to properly account the already written bytes on the console. This only occurs if the output to be performed does not fit in a single output buffer (2048 bytes on Xen).
The code in question set the number of bytes written to the last written count (written = output_some(buf)), instead of increasing the written count (written += output_some(buf)).
Impact
Console output may lead to an infinite loop, endlessly printing data onto the console.
A prominent unikernel is the Qubes MirageOS firewall, which prints some input packets onto the console. This can lead to a remote denial of service vulnerability, since any client could send a malformed and sufficiently big network packet.
Solution
The solution is to fix the console output code in solo5, as done in https://github.com/Solo5/solo5/pull/538/commits/099be86f0a17a619fcadbb970bb9e511d28d3cd8
Timeline
- 2022-12-04: initial report by Krzysztof Burghardt https://github.com/mirage/qubes-mirage-firewall/issues/166
- 2022-12-04: investigation by Hannes Mehnert and Pierre Alain
- 2022-12-05: initial fix by Pierre Alain https://github.com/Solo5/solo5/pull/538
- 2022-12-05: review of fix by Thomas Leonard
- 2022-12-07: release of fixed packages and security advisory
{
"affected": [
{
"ecosystem_specific": {
"opam_constraint": "solo5 {\u003e= \"0.6.6\" \u0026 \u003c \"0.7.5\"}"
},
"package": {
"ecosystem": "opam",
"name": "solo5",
"purl": "pkg:opam/solo5"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.6"
},
{
"fixed": "0.7.5"
}
],
"type": "ECOSYSTEM"
},
{
"events": [
{
"fixed": "099be86f0a17a619fcadbb970bb9e511d28d3cd8"
},
{
"introduced": "f4b47d11983bf8f32aaf4ec496a045c35e4e582f"
}
],
"repo": "https://github.com/solo5/solo5",
"type": "GIT"
}
],
"versions": [
"0.7.0",
"0.7.1",
"0.7.2",
"0.7.3",
"0.7.4"
]
}
],
"aliases": [
"CVE-2022-46770"
],
"credits": [
{
"name": "Krzysztof Burghardt",
"type": "REPORTER"
},
{
"name": "Pierre Alain",
"type": "REMEDIATION_DEVELOPER"
},
{
"name": "Thomas Leonard",
"type": "REMEDIATION_REVIEWER"
},
{
"name": "Hannes Mehnert",
"type": "REMEDIATION_REVIEWER"
}
],
"database_specific": {
"cwe": [
"CWE-835"
],
"human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2022/OSEC-2022-01.md",
"osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2022/OSEC-2022-01.json"
},
"details": "## Background\n\nMirageOS is a library operating system using cooperative multitasking, which can be executed as a guest of the Xen hypervisor. Output on the console is performed via the Xen console protocol.\nProblem Description\n\nSince MirageOS moved from PV mode to PVH, and thus replacing Mini-OS with solo5, there was an issue in the solo5 code which failed to properly account the already written bytes on the console. This only occurs if the output to be performed does not fit in a single output buffer (2048 bytes on Xen).\n\nThe code in question set the number of bytes written to the last written count (written = output_some(buf)), instead of increasing the written count (written += output_some(buf)).\n\n## Impact\n\nConsole output may lead to an infinite loop, endlessly printing data onto the console.\n\nA prominent unikernel is the Qubes MirageOS firewall, which prints some input packets onto the console. This can lead to a remote denial of service vulnerability, since any client could send a malformed and sufficiently big network packet.\n\n## Solution\n\nThe solution is to fix the console output code in solo5, as done in https://github.com/Solo5/solo5/pull/538/commits/099be86f0a17a619fcadbb970bb9e511d28d3cd8\n\n## Timeline\n\n- 2022-12-04: initial report by Krzysztof Burghardt https://github.com/mirage/qubes-mirage-firewall/issues/166\n- 2022-12-04: investigation by Hannes Mehnert and Pierre Alain\n- 2022-12-05: initial fix by Pierre Alain https://github.com/Solo5/solo5/pull/538\n- 2022-12-05: review of fix by Thomas Leonard\n- 2022-12-07: release of fixed packages and security advisory",
"id": "OSEC-2022-01",
"modified": "2026-02-18T09:30:00Z",
"published": "2022-12-07T00:00:00Z",
"references": [
{
"type": "FIX",
"url": "https://github.com/Solo5/solo5/pull/538"
},
{
"type": "ADVISORY",
"url": "https://mirageos.org/blog/MSA03"
}
],
"schema_version": "1.7.4",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Infinite loop in console output on xen"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.