Xen project Mailing List

[Xen-announce] Xen Security Advisory 90 - Linux netback crash trying to disable due to malformed packet

To: xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: Xen.org security team <security@xxxxxxx>

Date: Mon, 24 Mar 2014 13:01:09 +0000

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Mon, 24 Mar 2014 13:02:50 +0000

List-id: "Xen announcements $low volume$" <xen-announce.lists.xen.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-90 Linux netback crash trying to disable due to malformed packet ISSUE DESCRIPTION ================= When Linux's netback sees a malformed packet, it tries to disable the interface which serves the misbehaving frontend. This involves taking a mutex, which might sleep. But in recent versions of Linux the guest transmit path is handled by NAPI in softirq context, where sleeping is not allowed. The end result is that the backend domain (often, Dom0) crashes with "scheduling while atomic". IMPACT ====== Malicious guest administrators can cause denial of service. If driver domains are not in use, the impact is a host crash. VULNERABLE SYSTEMS ================== This bug affects systems using Linux as the driver domain, including non-disaggregated systems using Linux as dom0. Only versions of Linux whose netback uses NAPI are affected. In Linux mainline this is all versions of Linux containing git changeset b3f980bd82, which was introduced between Linux 3.11 and 3.12-rc1. Systems using a different OS as dom0 (eg, NetBSD, Solaris) are not vulnerable. Both x86 and ARM systems are affected. MITIGATION ========== Using driver domains may limit the scope of the denial of service, and may make it possible to resume service without restarting guests (by restarting the driver domain). Advice on reconfiguring a system to use driver domains is beyond the reasonable scope of this advisory. In the case of an x86 HVM guest, the exploit can be prevented by disabling the PV IO paths; normally this would come with a substantial performance cost, and it may involve reconfiguring the guest as well as the host. This is not recommended. NOTE REGARDING LACK OF EMBARGO ============================== This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. The public mailing list thread nevertheless contains information strongly suggestive of a security bug, and a different security bug (with CVE) is suggested as seeming "similar". For these reasons we (the Xen Project Security Team) have concluded that the presence of this bug, as a security problem, is not (any longer) a secret. CREDITS ======= This issue was discovered as a bug by TÃrÃk Edwin and analysed by Wei Liu of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. $ sha256sum xsa90*.patch 07341ffb7f577d32510602797a08009eade817009b425a124413ee743bdb6f05 xsa90.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTMCxRAAoJEIP+FMlX6CvZaAEIAIIVfNdz3CwFYbiSwa51RJ3L YFarP71/0EjNJKSaRwf6EQjDNnApqq6ep4+WKFvlMbm515jyQXp6mAbb8ffqnLUQ 2SDOlQXOpbnZrJrgo4YcT5ru8ZusauYz36TkFVcXBmcKWq29KoUARo5zG7YGyh9H aWajaZs6RQPv3QE8IInNSP0oitRQZg/5xAW+Lz4Kn8xpO/IJuYW3ROH6JQcFF67H r7xVAzxjrNQ3P5mN0iiOkQYK39PqhwGUhWaa6JlejsjUgU1nsGIBOHH+ISCaZrtL e/6XK3awaDiu1dAL4Py1SdhPiA0sTeqA3bf6ARd7ymoIFqGuxrqYlupcUKTupjE= =LrLN -----END PGP SIGNATURE-----

Attachment: xsa90.patch
Description: Binary data

_______________________________________________ Xen-announce mailing list Xen-announce@xxxxxxxxxxxxx http://lists.xen.org/xen-announce

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.