Xen.org security team
2014-Mar-24 13:01 UTC
Xen Security Advisory 90 - Linux netback crash trying to disable due to malformed packet
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Xen Security Advisory XSA-90 Linux netback crash trying to disable due to malformed packet ISSUE DESCRIPTION ================ When Linux's netback sees a malformed packet, it tries to disable the interface which serves the misbehaving frontend. This involves taking a mutex, which might sleep. But in recent versions of Linux the guest transmit path is handled by NAPI in softirq context, where sleeping is not allowed. The end result is that the backend domain (often, Dom0) crashes with "scheduling while atomic". IMPACT ===== Malicious guest administrators can cause denial of service. If driver domains are not in use, the impact is a host crash. VULNERABLE SYSTEMS ================= This bug affects systems using Linux as the driver domain, including non-disaggregated systems using Linux as dom0. Only versions of Linux whose netback uses NAPI are affected. In Linux mainline this is all versions of Linux containing git changeset b3f980bd82, which was introduced between Linux 3.11 and 3.12-rc1. Systems using a different OS as dom0 (eg, NetBSD, Solaris) are not vulnerable. Both x86 and ARM systems are affected. MITIGATION ========= Using driver domains may limit the scope of the denial of service, and may make it possible to resume service without restarting guests (by restarting the driver domain). Advice on reconfiguring a system to use driver domains is beyond the reasonable scope of this advisory. In the case of an x86 HVM guest, the exploit can be prevented by disabling the PV IO paths; normally this would come with a substantial performance cost, and it may involve reconfiguring the guest as well as the host. This is not recommended. NOTE REGARDING LACK OF EMBARGO ============================= This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. The public mailing list thread nevertheless contains information strongly suggestive of a security bug, and a different security bug (with CVE) is suggested as seeming "similar". For these reasons we (the Xen Project Security Team) have concluded that the presence of this bug, as a security problem, is not (any longer) a secret. CREDITS ====== This issue was discovered as a bug by Török Edwin and analysed by Wei Liu of Citrix. RESOLUTION ========= Applying the appropriate attached patch resolves this issue. $ sha256sum xsa90*.patch 07341ffb7f577d32510602797a08009eade817009b425a124413ee743bdb6f05 xsa90.patch $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJTMCxRAAoJEIP+FMlX6CvZaAEIAIIVfNdz3CwFYbiSwa51RJ3L YFarP71/0EjNJKSaRwf6EQjDNnApqq6ep4+WKFvlMbm515jyQXp6mAbb8ffqnLUQ 2SDOlQXOpbnZrJrgo4YcT5ru8ZusauYz36TkFVcXBmcKWq29KoUARo5zG7YGyh9H aWajaZs6RQPv3QE8IInNSP0oitRQZg/5xAW+Lz4Kn8xpO/IJuYW3ROH6JQcFF67H r7xVAzxjrNQ3P5mN0iiOkQYK39PqhwGUhWaa6JlejsjUgU1nsGIBOHH+ISCaZrtL e/6XK3awaDiu1dAL4Py1SdhPiA0sTeqA3bf6ARd7ymoIFqGuxrqYlupcUKTupjE=LrLN -----END PGP SIGNATURE----- --=separator Content-Type: application/octet-stream; name="xsa90.patch" Content-Disposition: attachment; filename="xsa90.patch" Content-Transfer-Encoding: base64 RnJvbTogV2VpIExpdSA8d2VpLmxpdTJAY2l0cml4LmNvbT4KRGF0ZTogTW9u LCAxNyBNYXIgMjAxNCAxMTo1Mjo1MyArMDAwMApTdWJqZWN0OiBbUEFUQ0gg UkZDXSB4ZW4tbmV0YmFjazogZGlzYWJsZSByb2d1ZSB2aWYgaW4ga3RocmVh ZCBjb250ZXh0CgpXaGVuIG5ldGJhY2sgZGlzY292ZXJzIGZyb250ZW5kIGlz IHNlbmRpbmcgbWFsZm9ybWVkIHBhY2tldCBpdCB3aWxsCmRpc2FibGVzIHRo ZSBpbnRlcmZhY2Ugd2hpY2ggc2VydmVzIHRoYXQgZnJvbnRlbmQuCgpIb3dl dmVyIGRpc2FibGluZyBhIG5ldHdvcmsgaW50ZXJmYWNlIGludm9sdmluZyB0 YWtpbmcgYSBtdXRleCB3aGljaApjYW5ub3QgYmUgZG9uZSBpbiBzb2Z0aXJx IGNvbnRleHQsIHNvIHdlIG5lZWQgdG8gZGVmZXIgdGhpcyBwcm9jZXNzIHRv Cmt0aHJlYWQgY29udGV4dC4KClRoaXMgcGF0Y2ggZG9lcyB0aGUgZm9sbG93 aW5nOgoxLiBpbnRyb2R1Y2UgYSBmbGFnIHRvIGluZGljYXRlIHRoZSBpbnRl cmZhY2UgaXMgZGlzYWJsZWQuCjIuIGNoZWNrIHRoYXQgZmxhZyBpbiBUWCBw YXRoLCBkb24ndCBkbyBhbnkgd29yayBpZiBpdCdzIHRydWUuCjMuIGNoZWNr IHRoYXQgZmxhZyBpbiBSWCBwYXRoLCB0dXJuIG9mZiB0aGF0IGludGVyZmFj ZSBpZiBpdCdzIHRydWUuCgpUaGUgcmVhc29uIHRvIGRpc2FibGUgaXQgaW4g UlggcGF0aCBpcyBiZWNhdXNlIFJYIHVzZXMga3RocmVhZC4gQWZ0ZXIKdGhp cyBjaGFuZ2UgdGhlIGJlaGF2aW9yIG9mIG5ldGJhY2sgaXMgc3RpbGwgY29u c2lzdGVudCAtLSBpdCB3b24ndCBkbwphbnkgVFggd29yayBmb3IgYSByb2d1 ZSBmcm9udGVuZCwgYW5kIHRoZSBpbnRlcmZhY2Ugd2lsbCBiZSBldmVudHVh bGx5CnR1cm5lZCBvZmYuCgpBbHNvIGNoYW5nZSBhICJjb250aW51ZSIgdG8g ImJyZWFrIiBhZnRlciB4ZW52aWZfZmF0YWxfdHhfZXJyLCBhcyBpdApkb2Vz bid0IG1ha2Ugc2Vuc2UgdG8gY29udGludWUgcHJvY2Vzc2luZyBwYWNrZXRz IGlmIGZyb250ZW5kIGlzIHJvZ3VlLgoKU2lnbmVkLW9mZi1ieTogV2VpIExp dSA8d2VpLmxpdTJAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Ci0tLQogZHJpdmVycy9uZXQv eGVuLW5ldGJhY2svY29tbW9uLmggICAgfCAgICA1ICsrKysrCiBkcml2ZXJz L25ldC94ZW4tbmV0YmFjay9pbnRlcmZhY2UuYyB8ICAgIDkgKysrKysrKysr CiBkcml2ZXJzL25ldC94ZW4tbmV0YmFjay9uZXRiYWNrLmMgICB8ICAgMTQg KysrKysrKysrKysrLS0KIDMgZmlsZXMgY2hhbmdlZCwgMjYgaW5zZXJ0aW9u cygrKSwgMiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9kcml2ZXJzL25l dC94ZW4tbmV0YmFjay9jb21tb24uaCBiL2RyaXZlcnMvbmV0L3hlbi1uZXRi YWNrL2NvbW1vbi5oCmluZGV4IGFlNDEzYTIuLjRiZjViMzMgMTAwNjQ0Ci0t LSBhL2RyaXZlcnMvbmV0L3hlbi1uZXRiYWNrL2NvbW1vbi5oCisrKyBiL2Ry aXZlcnMvbmV0L3hlbi1uZXRiYWNrL2NvbW1vbi5oCkBAIC0xMTMsNiArMTEz LDExIEBAIHN0cnVjdCB4ZW52aWYgewogCWRvbWlkX3QgICAgICAgICAgZG9t aWQ7CiAJdW5zaWduZWQgaW50ICAgICBoYW5kbGU7CiAKKwkvKiBJcyB0aGlz IGludGVyZmFjZSBkaXNhYmxlZD8gVHJ1ZSB3aGVuIGJhY2tlbmQgZGlzY292 ZXJzCisJICogZnJvbnRlbmQgaXMgcm9ndWUuCisJICovCisJYm9vbCBkaXNh YmxlZDsKKwogCS8qIFVzZSBOQVBJIGZvciBndWVzdCBUWCAqLwogCXN0cnVj dCBuYXBpX3N0cnVjdCBuYXBpOwogCS8qIFdoZW4gZmVhdHVyZS1zcGxpdC1l dmVudC1jaGFubmVscyA9IDAsIHR4X2lycSA9IHJ4X2lycS4gKi8KZGlmZiAt LWdpdCBhL2RyaXZlcnMvbmV0L3hlbi1uZXRiYWNrL2ludGVyZmFjZS5jIGIv ZHJpdmVycy9uZXQveGVuLW5ldGJhY2svaW50ZXJmYWNlLmMKaW5kZXggMzAx Y2MwMy4uMjM0ZjFjOCAxMDA2NDQKLS0tIGEvZHJpdmVycy9uZXQveGVuLW5l dGJhY2svaW50ZXJmYWNlLmMKKysrIGIvZHJpdmVycy9uZXQveGVuLW5ldGJh Y2svaW50ZXJmYWNlLmMKQEAgLTYyLDYgKzYyLDEzIEBAIHN0YXRpYyBpbnQg eGVudmlmX3BvbGwoc3RydWN0IG5hcGlfc3RydWN0ICpuYXBpLCBpbnQgYnVk Z2V0KQogCXN0cnVjdCB4ZW52aWYgKnZpZiA9IGNvbnRhaW5lcl9vZihuYXBp LCBzdHJ1Y3QgeGVudmlmLCBuYXBpKTsKIAlpbnQgd29ya19kb25lOwogCisJ LyogVGhpcyB2aWYgaXMgcm9ndWUsIHdlIHByZXRlbmQgd2UndmUgdXNlZCB1 cCBhbGwgYnVkZ2V0IHRvCisJICogZGVzY2hlZHVsZSBpdCBmcm9tIE5BUEku IEJ1dCB0aGlzIGludGVyZmFjZSB3aWxsIGJlIHR1cm5lZAorCSAqIG9mZiBp biB0aHJlYWQgY29udGV4dCBsYXRlci4KKwkgKi8KKwlpZiAodW5saWtlbHko dmlmLT5kaXNhYmxlZCkpCisJCXJldHVybiBidWRnZXQ7CisKIAl3b3JrX2Rv bmUgPSB4ZW52aWZfdHhfYWN0aW9uKHZpZiwgYnVkZ2V0KTsKIAogCWlmICh3 b3JrX2RvbmUgPCBidWRnZXQpIHsKQEAgLTMyMSw2ICszMjgsOCBAQCBzdHJ1 Y3QgeGVudmlmICp4ZW52aWZfYWxsb2Moc3RydWN0IGRldmljZSAqcGFyZW50 LCBkb21pZF90IGRvbWlkLAogCXZpZi0+aXBfY3N1bSA9IDE7CiAJdmlmLT5k ZXYgPSBkZXY7CiAKKwl2aWYtPmRpc2FibGVkID0gZmFsc2U7CisKIAl2aWYt PmNyZWRpdF9ieXRlcyA9IHZpZi0+cmVtYWluaW5nX2NyZWRpdCA9IH4wVUw7 CiAJdmlmLT5jcmVkaXRfdXNlYyAgPSAwVUw7CiAJaW5pdF90aW1lcigmdmlm LT5jcmVkaXRfdGltZW91dCk7CmRpZmYgLS1naXQgYS9kcml2ZXJzL25ldC94 ZW4tbmV0YmFjay9uZXRiYWNrLmMgYi9kcml2ZXJzL25ldC94ZW4tbmV0YmFj ay9uZXRiYWNrLmMKaW5kZXggNDM4ZDBjMC4uOTRlNzI2MSAxMDA2NDQKLS0t IGEvZHJpdmVycy9uZXQveGVuLW5ldGJhY2svbmV0YmFjay5jCisrKyBiL2Ry aXZlcnMvbmV0L3hlbi1uZXRiYWNrL25ldGJhY2suYwpAQCAtNjU1LDcgKzY1 NSw3IEBAIHN0YXRpYyB2b2lkIHhlbnZpZl90eF9lcnIoc3RydWN0IHhlbnZp ZiAqdmlmLAogc3RhdGljIHZvaWQgeGVudmlmX2ZhdGFsX3R4X2VycihzdHJ1 Y3QgeGVudmlmICp2aWYpCiB7CiAJbmV0ZGV2X2Vycih2aWYtPmRldiwgImZh dGFsIGVycm9yOyBkaXNhYmxpbmcgZGV2aWNlXG4iKTsKLQl4ZW52aWZfY2Fy cmllcl9vZmYodmlmKTsKKwl2aWYtPmRpc2FibGVkID0gdHJ1ZTsKIH0KIAog c3RhdGljIGludCB4ZW52aWZfY291bnRfcmVxdWVzdHMoc3RydWN0IHhlbnZp ZiAqdmlmLApAQCAtMTEyNiw3ICsxMTI2LDcgQEAgc3RhdGljIHVuc2lnbmVk IHhlbnZpZl90eF9idWlsZF9nb3BzKHN0cnVjdCB4ZW52aWYgKnZpZiwgaW50 IGJ1ZGdldCkKIAkJCQkgICB2aWYtPnR4LnNyaW5nLT5yZXFfcHJvZCwgdmlm LT50eC5yZXFfY29ucywKIAkJCQkgICBYRU5fTkVUSUZfVFhfUklOR19TSVpF KTsKIAkJCXhlbnZpZl9mYXRhbF90eF9lcnIodmlmKTsKLQkJCWNvbnRpbnVl OworCQkJYnJlYWs7CiAJCX0KIAogCQl3b3JrX3RvX2RvID0gUklOR19IQVNf VU5DT05TVU1FRF9SRVFVRVNUUygmdmlmLT50eCk7CkBAIC0xNTQ5LDYgKzE1 NDksMTYgQEAgaW50IHhlbnZpZl9rdGhyZWFkKHZvaWQgKmRhdGEpCiAJCXdh aXRfZXZlbnRfaW50ZXJydXB0aWJsZSh2aWYtPndxLAogCQkJCQkgcnhfd29y a190b2RvKHZpZikgfHwKIAkJCQkJIGt0aHJlYWRfc2hvdWxkX3N0b3AoKSk7 CisKKwkJLyogVGhpcyBmcm9udGVuZCBpcyBmb3VuZCB0byBiZSByb2d1ZSwg ZGlzYWJsZSBpdCBpbgorCQkgKiBrdGhyZWFkIGNvbnRleHQuIEN1cnJlbnRs eSB0aGlzIGlzIG9ubHkgc2V0IHdoZW4KKwkJICogbmV0YmFjayBmaW5kcyBv dXQgZnJvbnRlbmQgc2VuZHMgbWFsZm9ybWVkIHBhY2tldCwKKwkJICogYnV0 IHdlIGNhbm5vdCBkaXNhYmxlIHRoZSBpbnRlcmZhY2UgaW4gc29mdGlycQor CQkgKiBjb250ZXh0IHNvIHdlIGRlZmVyIGl0IGhlcmUuCisJCSAqLworCQlp ZiAodW5saWtlbHkodmlmLT5kaXNhYmxlZCAmJiBuZXRpZl9jYXJyaWVyX29r KHZpZi0+ZGV2KSkpCisJCQl4ZW52aWZfY2Fycmllcl9vZmYodmlmKTsKKwog CQlpZiAoa3RocmVhZF9zaG91bGRfc3RvcCgpKQogCQkJYnJlYWs7CiAKLS0g CjEuNy4xMC40Cgo --=separator Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users --=separator--