Xen.org security team
2014-Mar-24 13:01 UTC
Xen Security Advisory 90 - Linux netback crash trying to disable due to malformed packet
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory XSA-90
Linux netback crash trying to disable due to malformed packet
ISSUE DESCRIPTION
================
When Linux's netback sees a malformed packet, it tries to disable the
interface which serves the misbehaving frontend.
This involves taking a mutex, which might sleep. But in recent
versions of Linux the guest transmit path is handled by NAPI in
softirq context, where sleeping is not allowed. The end result is
that the backend domain (often, Dom0) crashes with "scheduling while
atomic".
IMPACT
=====
Malicious guest administrators can cause denial of service. If driver
domains are not in use, the impact is a host crash.
VULNERABLE SYSTEMS
=================
This bug affects systems using Linux as the driver domain, including
non-disaggregated systems using Linux as dom0.
Only versions of Linux whose netback uses NAPI are affected. In Linux
mainline this is all versions of Linux containing git changeset
b3f980bd82, which was introduced between Linux 3.11 and 3.12-rc1.
Systems using a different OS as dom0 (eg, NetBSD, Solaris) are not
vulnerable.
Both x86 and ARM systems are affected.
MITIGATION
=========
Using driver domains may limit the scope of the denial of service, and
may make it possible to resume service without restarting guests (by
restarting the driver domain). Advice on reconfiguring a system to
use driver domains is beyond the reasonable scope of this advisory.
In the case of an x86 HVM guest, the exploit can be prevented by
disabling the PV IO paths; normally this would come with a substantial
performance cost, and it may involve reconfiguring the guest as well
as the host. This is not recommended.
NOTE REGARDING LACK OF EMBARGO
=============================
This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem. The public mailing list thread
nevertheless contains information strongly suggestive of a security
bug, and a different security bug (with CVE) is suggested as seeming
"similar".
For these reasons we (the Xen Project Security Team) have concluded
that the presence of this bug, as a security problem, is not (any
longer) a secret.
CREDITS
======
This issue was discovered as a bug by Török Edwin and analysed by
Wei Liu of Citrix.
RESOLUTION
=========
Applying the appropriate attached patch resolves this issue.
$ sha256sum xsa90*.patch
07341ffb7f577d32510602797a08009eade817009b425a124413ee743bdb6f05 xsa90.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJTMCxRAAoJEIP+FMlX6CvZaAEIAIIVfNdz3CwFYbiSwa51RJ3L
YFarP71/0EjNJKSaRwf6EQjDNnApqq6ep4+WKFvlMbm515jyQXp6mAbb8ffqnLUQ
2SDOlQXOpbnZrJrgo4YcT5ru8ZusauYz36TkFVcXBmcKWq29KoUARo5zG7YGyh9H
aWajaZs6RQPv3QE8IInNSP0oitRQZg/5xAW+Lz4Kn8xpO/IJuYW3ROH6JQcFF67H
r7xVAzxjrNQ3P5mN0iiOkQYK39PqhwGUhWaa6JlejsjUgU1nsGIBOHH+ISCaZrtL
e/6XK3awaDiu1dAL4Py1SdhPiA0sTeqA3bf6ARd7ymoIFqGuxrqYlupcUKTupjE=LrLN
-----END PGP SIGNATURE-----
--=separator
Content-Type: application/octet-stream; name="xsa90.patch"
Content-Disposition: attachment; filename="xsa90.patch"
Content-Transfer-Encoding: base64
RnJvbTogV2VpIExpdSA8d2VpLmxpdTJAY2l0cml4LmNvbT4KRGF0ZTogTW9u
LCAxNyBNYXIgMjAxNCAxMTo1Mjo1MyArMDAwMApTdWJqZWN0OiBbUEFUQ0gg
UkZDXSB4ZW4tbmV0YmFjazogZGlzYWJsZSByb2d1ZSB2aWYgaW4ga3RocmVh
ZCBjb250ZXh0CgpXaGVuIG5ldGJhY2sgZGlzY292ZXJzIGZyb250ZW5kIGlz
IHNlbmRpbmcgbWFsZm9ybWVkIHBhY2tldCBpdCB3aWxsCmRpc2FibGVzIHRo
ZSBpbnRlcmZhY2Ugd2hpY2ggc2VydmVzIHRoYXQgZnJvbnRlbmQuCgpIb3dl
dmVyIGRpc2FibGluZyBhIG5ldHdvcmsgaW50ZXJmYWNlIGludm9sdmluZyB0
YWtpbmcgYSBtdXRleCB3aGljaApjYW5ub3QgYmUgZG9uZSBpbiBzb2Z0aXJx
IGNvbnRleHQsIHNvIHdlIG5lZWQgdG8gZGVmZXIgdGhpcyBwcm9jZXNzIHRv
Cmt0aHJlYWQgY29udGV4dC4KClRoaXMgcGF0Y2ggZG9lcyB0aGUgZm9sbG93
aW5nOgoxLiBpbnRyb2R1Y2UgYSBmbGFnIHRvIGluZGljYXRlIHRoZSBpbnRl
cmZhY2UgaXMgZGlzYWJsZWQuCjIuIGNoZWNrIHRoYXQgZmxhZyBpbiBUWCBw
YXRoLCBkb24ndCBkbyBhbnkgd29yayBpZiBpdCdzIHRydWUuCjMuIGNoZWNr
IHRoYXQgZmxhZyBpbiBSWCBwYXRoLCB0dXJuIG9mZiB0aGF0IGludGVyZmFj
ZSBpZiBpdCdzIHRydWUuCgpUaGUgcmVhc29uIHRvIGRpc2FibGUgaXQgaW4g
UlggcGF0aCBpcyBiZWNhdXNlIFJYIHVzZXMga3RocmVhZC4gQWZ0ZXIKdGhp
cyBjaGFuZ2UgdGhlIGJlaGF2aW9yIG9mIG5ldGJhY2sgaXMgc3RpbGwgY29u
c2lzdGVudCAtLSBpdCB3b24ndCBkbwphbnkgVFggd29yayBmb3IgYSByb2d1
ZSBmcm9udGVuZCwgYW5kIHRoZSBpbnRlcmZhY2Ugd2lsbCBiZSBldmVudHVh
bGx5CnR1cm5lZCBvZmYuCgpBbHNvIGNoYW5nZSBhICJjb250aW51ZSIgdG8g
ImJyZWFrIiBhZnRlciB4ZW52aWZfZmF0YWxfdHhfZXJyLCBhcyBpdApkb2Vz
bid0IG1ha2Ugc2Vuc2UgdG8gY29udGludWUgcHJvY2Vzc2luZyBwYWNrZXRz
IGlmIGZyb250ZW5kIGlzIHJvZ3VlLgoKU2lnbmVkLW9mZi1ieTogV2VpIExp
dSA8d2VpLmxpdTJAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElhbiBDYW1wYmVs
bCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+Ci0tLQogZHJpdmVycy9uZXQv
eGVuLW5ldGJhY2svY29tbW9uLmggICAgfCAgICA1ICsrKysrCiBkcml2ZXJz
L25ldC94ZW4tbmV0YmFjay9pbnRlcmZhY2UuYyB8ICAgIDkgKysrKysrKysr
CiBkcml2ZXJzL25ldC94ZW4tbmV0YmFjay9uZXRiYWNrLmMgICB8ICAgMTQg
KysrKysrKysrKysrLS0KIDMgZmlsZXMgY2hhbmdlZCwgMjYgaW5zZXJ0aW9u
cygrKSwgMiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9kcml2ZXJzL25l
dC94ZW4tbmV0YmFjay9jb21tb24uaCBiL2RyaXZlcnMvbmV0L3hlbi1uZXRi
YWNrL2NvbW1vbi5oCmluZGV4IGFlNDEzYTIuLjRiZjViMzMgMTAwNjQ0Ci0t
LSBhL2RyaXZlcnMvbmV0L3hlbi1uZXRiYWNrL2NvbW1vbi5oCisrKyBiL2Ry
aXZlcnMvbmV0L3hlbi1uZXRiYWNrL2NvbW1vbi5oCkBAIC0xMTMsNiArMTEz
LDExIEBAIHN0cnVjdCB4ZW52aWYgewogCWRvbWlkX3QgICAgICAgICAgZG9t
aWQ7CiAJdW5zaWduZWQgaW50ICAgICBoYW5kbGU7CiAKKwkvKiBJcyB0aGlz
IGludGVyZmFjZSBkaXNhYmxlZD8gVHJ1ZSB3aGVuIGJhY2tlbmQgZGlzY292
ZXJzCisJICogZnJvbnRlbmQgaXMgcm9ndWUuCisJICovCisJYm9vbCBkaXNh
YmxlZDsKKwogCS8qIFVzZSBOQVBJIGZvciBndWVzdCBUWCAqLwogCXN0cnVj
dCBuYXBpX3N0cnVjdCBuYXBpOwogCS8qIFdoZW4gZmVhdHVyZS1zcGxpdC1l
dmVudC1jaGFubmVscyA9IDAsIHR4X2lycSA9IHJ4X2lycS4gKi8KZGlmZiAt
LWdpdCBhL2RyaXZlcnMvbmV0L3hlbi1uZXRiYWNrL2ludGVyZmFjZS5jIGIv
ZHJpdmVycy9uZXQveGVuLW5ldGJhY2svaW50ZXJmYWNlLmMKaW5kZXggMzAx
Y2MwMy4uMjM0ZjFjOCAxMDA2NDQKLS0tIGEvZHJpdmVycy9uZXQveGVuLW5l
dGJhY2svaW50ZXJmYWNlLmMKKysrIGIvZHJpdmVycy9uZXQveGVuLW5ldGJh
Y2svaW50ZXJmYWNlLmMKQEAgLTYyLDYgKzYyLDEzIEBAIHN0YXRpYyBpbnQg
eGVudmlmX3BvbGwoc3RydWN0IG5hcGlfc3RydWN0ICpuYXBpLCBpbnQgYnVk
Z2V0KQogCXN0cnVjdCB4ZW52aWYgKnZpZiA9IGNvbnRhaW5lcl9vZihuYXBp
LCBzdHJ1Y3QgeGVudmlmLCBuYXBpKTsKIAlpbnQgd29ya19kb25lOwogCisJ
LyogVGhpcyB2aWYgaXMgcm9ndWUsIHdlIHByZXRlbmQgd2UndmUgdXNlZCB1
cCBhbGwgYnVkZ2V0IHRvCisJICogZGVzY2hlZHVsZSBpdCBmcm9tIE5BUEku
IEJ1dCB0aGlzIGludGVyZmFjZSB3aWxsIGJlIHR1cm5lZAorCSAqIG9mZiBp
biB0aHJlYWQgY29udGV4dCBsYXRlci4KKwkgKi8KKwlpZiAodW5saWtlbHko
dmlmLT5kaXNhYmxlZCkpCisJCXJldHVybiBidWRnZXQ7CisKIAl3b3JrX2Rv
bmUgPSB4ZW52aWZfdHhfYWN0aW9uKHZpZiwgYnVkZ2V0KTsKIAogCWlmICh3
b3JrX2RvbmUgPCBidWRnZXQpIHsKQEAgLTMyMSw2ICszMjgsOCBAQCBzdHJ1
Y3QgeGVudmlmICp4ZW52aWZfYWxsb2Moc3RydWN0IGRldmljZSAqcGFyZW50
LCBkb21pZF90IGRvbWlkLAogCXZpZi0+aXBfY3N1bSA9IDE7CiAJdmlmLT5k
ZXYgPSBkZXY7CiAKKwl2aWYtPmRpc2FibGVkID0gZmFsc2U7CisKIAl2aWYt
PmNyZWRpdF9ieXRlcyA9IHZpZi0+cmVtYWluaW5nX2NyZWRpdCA9IH4wVUw7
CiAJdmlmLT5jcmVkaXRfdXNlYyAgPSAwVUw7CiAJaW5pdF90aW1lcigmdmlm
LT5jcmVkaXRfdGltZW91dCk7CmRpZmYgLS1naXQgYS9kcml2ZXJzL25ldC94
ZW4tbmV0YmFjay9uZXRiYWNrLmMgYi9kcml2ZXJzL25ldC94ZW4tbmV0YmFj
ay9uZXRiYWNrLmMKaW5kZXggNDM4ZDBjMC4uOTRlNzI2MSAxMDA2NDQKLS0t
IGEvZHJpdmVycy9uZXQveGVuLW5ldGJhY2svbmV0YmFjay5jCisrKyBiL2Ry
aXZlcnMvbmV0L3hlbi1uZXRiYWNrL25ldGJhY2suYwpAQCAtNjU1LDcgKzY1
NSw3IEBAIHN0YXRpYyB2b2lkIHhlbnZpZl90eF9lcnIoc3RydWN0IHhlbnZp
ZiAqdmlmLAogc3RhdGljIHZvaWQgeGVudmlmX2ZhdGFsX3R4X2VycihzdHJ1
Y3QgeGVudmlmICp2aWYpCiB7CiAJbmV0ZGV2X2Vycih2aWYtPmRldiwgImZh
dGFsIGVycm9yOyBkaXNhYmxpbmcgZGV2aWNlXG4iKTsKLQl4ZW52aWZfY2Fy
cmllcl9vZmYodmlmKTsKKwl2aWYtPmRpc2FibGVkID0gdHJ1ZTsKIH0KIAog
c3RhdGljIGludCB4ZW52aWZfY291bnRfcmVxdWVzdHMoc3RydWN0IHhlbnZp
ZiAqdmlmLApAQCAtMTEyNiw3ICsxMTI2LDcgQEAgc3RhdGljIHVuc2lnbmVk
IHhlbnZpZl90eF9idWlsZF9nb3BzKHN0cnVjdCB4ZW52aWYgKnZpZiwgaW50
IGJ1ZGdldCkKIAkJCQkgICB2aWYtPnR4LnNyaW5nLT5yZXFfcHJvZCwgdmlm
LT50eC5yZXFfY29ucywKIAkJCQkgICBYRU5fTkVUSUZfVFhfUklOR19TSVpF
KTsKIAkJCXhlbnZpZl9mYXRhbF90eF9lcnIodmlmKTsKLQkJCWNvbnRpbnVl
OworCQkJYnJlYWs7CiAJCX0KIAogCQl3b3JrX3RvX2RvID0gUklOR19IQVNf
VU5DT05TVU1FRF9SRVFVRVNUUygmdmlmLT50eCk7CkBAIC0xNTQ5LDYgKzE1
NDksMTYgQEAgaW50IHhlbnZpZl9rdGhyZWFkKHZvaWQgKmRhdGEpCiAJCXdh
aXRfZXZlbnRfaW50ZXJydXB0aWJsZSh2aWYtPndxLAogCQkJCQkgcnhfd29y
a190b2RvKHZpZikgfHwKIAkJCQkJIGt0aHJlYWRfc2hvdWxkX3N0b3AoKSk7
CisKKwkJLyogVGhpcyBmcm9udGVuZCBpcyBmb3VuZCB0byBiZSByb2d1ZSwg
ZGlzYWJsZSBpdCBpbgorCQkgKiBrdGhyZWFkIGNvbnRleHQuIEN1cnJlbnRs
eSB0aGlzIGlzIG9ubHkgc2V0IHdoZW4KKwkJICogbmV0YmFjayBmaW5kcyBv
dXQgZnJvbnRlbmQgc2VuZHMgbWFsZm9ybWVkIHBhY2tldCwKKwkJICogYnV0
IHdlIGNhbm5vdCBkaXNhYmxlIHRoZSBpbnRlcmZhY2UgaW4gc29mdGlycQor
CQkgKiBjb250ZXh0IHNvIHdlIGRlZmVyIGl0IGhlcmUuCisJCSAqLworCQlp
ZiAodW5saWtlbHkodmlmLT5kaXNhYmxlZCAmJiBuZXRpZl9jYXJyaWVyX29r
KHZpZi0+ZGV2KSkpCisJCQl4ZW52aWZfY2Fycmllcl9vZmYodmlmKTsKKwog
CQlpZiAoa3RocmVhZF9zaG91bGRfc3RvcCgpKQogCQkJYnJlYWs7CiAKLS0g
CjEuNy4xMC40Cgo
--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users
--=separator--