Xen.org security team
2014-Apr-02 11:50 UTC
Xen Security Advisory 90 (CVE-2014-2580) - Linux netback crash trying to disable due to malformed packet
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-2580 / XSA-90
version 2
Linux netback crash trying to disable due to malformed packet
UPDATES IN VERSION 2
===================
This issue has been assigned CVE-2014-2580.
A fix has been accepted into the Linux network subsystem maintainer's
tree. The final fix differs substantially from the initial patch,
which calls xenvif_carrier_off from an invalid context resulting in a
kernel panic in the backend. The updated patch defers this work to
kthread context and ensures that no traffic is processed in the
meantime.
The attached patches have been updated accordingly. Since the patch
in v1 of the advisory does not eliminate the vulnerability, users are
strongly encouraged to update to the latest patch.
ISSUE DESCRIPTION
================
When Linux's netback sees a malformed packet, it tries to disable the
interface which serves the misbehaving frontend.
This involves taking a mutex, which might sleep. But in recent
versions of Linux the guest transmit path is handled by NAPI in
softirq context, where sleeping is not allowed. The end result is
that the backend domain (often, Dom0) crashes with "scheduling while
atomic".
IMPACT
=====
Malicious guest administrators can cause denial of service. If driver
domains are not in use, the impact is a host crash.
VULNERABLE SYSTEMS
=================
This bug affects systems using Linux as the driver domain, including
non-disaggregated systems using Linux as dom0.
Only versions of Linux whose netback uses NAPI are affected. In Linux
mainline this is all versions of Linux containing git changeset
b3f980bd82, which was introduced between Linux 3.11 and 3.12-rc1.
Systems using a different OS as dom0 (eg, NetBSD, Solaris) are not
vulnerable.
Both x86 and ARM systems are affected.
MITIGATION
=========
Using driver domains may limit the scope of the denial of service, and
may make it possible to resume service without restarting guests (by
restarting the driver domain). Advice on reconfiguring a system to
use driver domains is beyond the reasonable scope of this advisory.
In the case of an x86 HVM guest, the exploit can be prevented by
disabling the PV IO paths; normally this would come with a substantial
performance cost, and it may involve reconfiguring the guest as well
as the host. This is not recommended.
NOTE REGARDING LACK OF EMBARGO
=============================
This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem. The public mailing list thread
nevertheless contains information strongly suggestive of a security
bug, and a different security bug (with CVE) is suggested as seeming
"similar".
For these reasons we (the Xen Project Security Team) have concluded
that the presence of this bug, as a security problem, is not (any
longer) a secret.
CREDITS
======
This issue was discovered as a bug by Török Edwin and analysed by
Wei Liu of Citrix.
RESOLUTION
=========
Applying the attached patch resolves this issue.
$ sha256sum xsa90*.patch
364d94db6dc2b151eb1bb359dc90c71cbb8c5e3dc99b73fc01d981c018777ff4 xsa90.patch
$
This patch has also been applied to the network subsystem maintainer's git
tree:
https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=e9d8b2c2968499c1f96563e6522c56958d5a1d0d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJTO/lVAAoJEIP+FMlX6CvZkYAH/1DY0nKcCsG718IFOdtuu1LA
tWhoEACOkqCrqfg/L/6/Tljd0okBlOa15v9amBAJvy7amxAIzlGHDgD3BgQ1w5Te
Rc+GDVIoHhYq/LdqSj2Jr4TFXCuekOxTER3idvg+E1RrCOoEqNEFbIKey16vo/ll
tn7qKs+qZ7LlQHhjLmwFuDfSromYzOoSiS43nqy4vFHgFXC1Zmk/K8p8DLHxz92y
gt6EvMdoDIdgk9hZdLkRIPlqvprV6wQ69pX3MVB6WKIWwW6OYDxbMLfICbubESST
7af33QABFimadkalnN+4+xGblS1WRC5wz2XpSfNNe1bbaKkbPhXe7o9j0+mLX8g=FL5w
-----END PGP SIGNATURE-----
--=separator
Content-Type: application/octet-stream; name="xsa90.patch"
Content-Disposition: attachment; filename="xsa90.patch"
Content-Transfer-Encoding: base64
RnJvbSBlOWQ4YjJjMjk2ODQ5OWMxZjk2NTYzZTY1MjJjNTY5NThkNWExZDBk
IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBXZWkgTGl1IDx3ZWku
bGl1MkBjaXRyaXguY29tPgpEYXRlOiBUdWUsIDEgQXByIDIwMTQgMTI6NDY6
MTIgKzAxMDAKU3ViamVjdDogW1BBVENIXSB4ZW4tbmV0YmFjazogZGlzYWJs
ZSByb2d1ZSB2aWYgaW4ga3RocmVhZCBjb250ZXh0Ck1JTUUtVmVyc2lvbjog
MS4wCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD1VVEYtOApD
b250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA4Yml0CgpXaGVuIG5ldGJhY2sg
ZGlzY292ZXJzIGZyb250ZW5kIGlzIHNlbmRpbmcgbWFsZm9ybWVkIHBhY2tl
dCBpdCB3aWxsCmRpc2FibGVzIHRoZSBpbnRlcmZhY2Ugd2hpY2ggc2VydmVz
IHRoYXQgZnJvbnRlbmQuCgpIb3dldmVyIGRpc2FibGluZyBhIG5ldHdvcmsg
aW50ZXJmYWNlIGludm9sdmluZyB0YWtpbmcgYSBtdXRleCB3aGljaApjYW5u
b3QgYmUgZG9uZSBpbiBzb2Z0aXJxIGNvbnRleHQsIHNvIHdlIG5lZWQgdG8g
ZGVmZXIgdGhpcyBwcm9jZXNzIHRvCmt0aHJlYWQgY29udGV4dC4KClRoaXMg
cGF0Y2ggZG9lcyB0aGUgZm9sbG93aW5nOgoxLiBpbnRyb2R1Y2UgYSBmbGFn
IHRvIGluZGljYXRlIHRoZSBpbnRlcmZhY2UgaXMgZGlzYWJsZWQuCjIuIGNo
ZWNrIHRoYXQgZmxhZyBpbiBUWCBwYXRoLCBkb24ndCBkbyBhbnkgd29yayBp
ZiBpdCdzIHRydWUuCjMuIGNoZWNrIHRoYXQgZmxhZyBpbiBSWCBwYXRoLCB0
dXJuIG9mZiB0aGF0IGludGVyZmFjZSBpZiBpdCdzIHRydWUuCgpUaGUgcmVh
c29uIHRvIGRpc2FibGUgaXQgaW4gUlggcGF0aCBpcyBiZWNhdXNlIFJYIHVz
ZXMga3RocmVhZC4gQWZ0ZXIKdGhpcyBjaGFuZ2UgdGhlIGJlaGF2aW9yIG9m
IG5ldGJhY2sgaXMgc3RpbGwgY29uc2lzdGVudCAtLSBpdCB3b24ndCBkbwph
bnkgVFggd29yayBmb3IgYSByb2d1ZSBmcm9udGVuZCwgYW5kIHRoZSBpbnRl
cmZhY2Ugd2lsbCBiZSBldmVudHVhbGx5CnR1cm5lZCBvZmYuCgpBbHNvIGNo
YW5nZSBhICJjb250aW51ZSIgdG8gImJyZWFrIiBhZnRlciB4ZW52aWZfZmF0
YWxfdHhfZXJyLCBhcyBpdApkb2Vzbid0IG1ha2Ugc2Vuc2UgdG8gY29udGlu
dWUgcHJvY2Vzc2luZyBwYWNrZXRzIGlmIGZyb250ZW5kIGlzIHJvZ3VlLgoK
VGhpcyBpcyBhIGZpeCBmb3IgWFNBLTkwLgoKUmVwb3J0ZWQtYnk6IFTDtnLD
tmsgRWR3aW4gPGVkd2luQGV0b3Jvay5uZXQ+ClNpZ25lZC1vZmYtYnk6IFdl
aSBMaXUgPHdlaS5saXUyQGNpdHJpeC5jb20+CkNjOiBJYW4gQ2FtcGJlbGwg
PGlhbi5jYW1wYmVsbEBjaXRyaXguY29tPgpSZXZpZXdlZC1ieTogRGF2aWQg
VnJhYmVsIDxkYXZpZC52cmFiZWxAY2l0cml4LmNvbT4KQWNrZWQtYnk6IElh
biBDYW1wYmVsbCA8aWFuLmNhbXBiZWxsQGNpdHJpeC5jb20+ClNpZ25lZC1v
ZmYtYnk6IERhdmlkIFMuIE1pbGxlciA8ZGF2ZW1AZGF2ZW1sb2Z0Lm5ldD4K
LS0tCiBkcml2ZXJzL25ldC94ZW4tbmV0YmFjay9jb21tb24uaCAgICB8ICAg
IDUgKysrKysKIGRyaXZlcnMvbmV0L3hlbi1uZXRiYWNrL2ludGVyZmFjZS5j
IHwgICAxMSArKysrKysrKysrKwogZHJpdmVycy9uZXQveGVuLW5ldGJhY2sv
bmV0YmFjay5jICAgfCAgIDE2ICsrKysrKysrKysrKysrLS0KIDMgZmlsZXMg
Y2hhbmdlZCwgMzAgaW5zZXJ0aW9ucygrKSwgMiBkZWxldGlvbnMoLSkKCmRp
ZmYgLS1naXQgYS9kcml2ZXJzL25ldC94ZW4tbmV0YmFjay9jb21tb24uaCBi
L2RyaXZlcnMvbmV0L3hlbi1uZXRiYWNrL2NvbW1vbi5oCmluZGV4IDg5YjJk
NDIuLjg5ZDFkMDUgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvbmV0L3hlbi1uZXRi
YWNrL2NvbW1vbi5oCisrKyBiL2RyaXZlcnMvbmV0L3hlbi1uZXRiYWNrL2Nv
bW1vbi5oCkBAIC0xMDQsNiArMTA0LDExIEBAIHN0cnVjdCB4ZW52aWYgewog
CWRvbWlkX3QgICAgICAgICAgZG9taWQ7CiAJdW5zaWduZWQgaW50ICAgICBo
YW5kbGU7CiAKKwkvKiBJcyB0aGlzIGludGVyZmFjZSBkaXNhYmxlZD8gVHJ1
ZSB3aGVuIGJhY2tlbmQgZGlzY292ZXJzCisJICogZnJvbnRlbmQgaXMgcm9n
dWUuCisJICovCisJYm9vbCBkaXNhYmxlZDsKKwogCS8qIFVzZSBOQVBJIGZv
ciBndWVzdCBUWCAqLwogCXN0cnVjdCBuYXBpX3N0cnVjdCBuYXBpOwogCS8q
IFdoZW4gZmVhdHVyZS1zcGxpdC1ldmVudC1jaGFubmVscyA9IDAsIHR4X2ly
cSA9IHJ4X2lycS4gKi8KZGlmZiAtLWdpdCBhL2RyaXZlcnMvbmV0L3hlbi1u
ZXRiYWNrL2ludGVyZmFjZS5jIGIvZHJpdmVycy9uZXQveGVuLW5ldGJhY2sv
aW50ZXJmYWNlLmMKaW5kZXggY2RjMjk4ZS4uZWYwNWM1YyAxMDA2NDQKLS0t
IGEvZHJpdmVycy9uZXQveGVuLW5ldGJhY2svaW50ZXJmYWNlLmMKKysrIGIv
ZHJpdmVycy9uZXQveGVuLW5ldGJhY2svaW50ZXJmYWNlLmMKQEAgLTYzLDYg
KzYzLDE1IEBAIHN0YXRpYyBpbnQgeGVudmlmX3BvbGwoc3RydWN0IG5hcGlf
c3RydWN0ICpuYXBpLCBpbnQgYnVkZ2V0KQogCXN0cnVjdCB4ZW52aWYgKnZp
ZiA9IGNvbnRhaW5lcl9vZihuYXBpLCBzdHJ1Y3QgeGVudmlmLCBuYXBpKTsK
IAlpbnQgd29ya19kb25lOwogCisJLyogVGhpcyB2aWYgaXMgcm9ndWUsIHdl
IHByZXRlbmQgd2UndmUgdGhlcmUgaXMgbm90aGluZyB0byBkbworCSAqIGZv
ciB0aGlzIHZpZiB0byBkZXNjaGVkdWxlIGl0IGZyb20gTkFQSS4gQnV0IHRo
aXMgaW50ZXJmYWNlCisJICogd2lsbCBiZSB0dXJuZWQgb2ZmIGluIHRocmVh
ZCBjb250ZXh0IGxhdGVyLgorCSAqLworCWlmICh1bmxpa2VseSh2aWYtPmRp
c2FibGVkKSkgeworCQluYXBpX2NvbXBsZXRlKG5hcGkpOworCQlyZXR1cm4g
MDsKKwl9CisKIAl3b3JrX2RvbmUgPSB4ZW52aWZfdHhfYWN0aW9uKHZpZiwg
YnVkZ2V0KTsKIAogCWlmICh3b3JrX2RvbmUgPCBidWRnZXQpIHsKQEAgLTM2
Myw2ICszNzIsOCBAQCBzdHJ1Y3QgeGVudmlmICp4ZW52aWZfYWxsb2Moc3Ry
dWN0IGRldmljZSAqcGFyZW50LCBkb21pZF90IGRvbWlkLAogCXZpZi0+aXBf
Y3N1bSA9IDE7CiAJdmlmLT5kZXYgPSBkZXY7CiAKKwl2aWYtPmRpc2FibGVk
ID0gZmFsc2U7CisKIAl2aWYtPmNyZWRpdF9ieXRlcyA9IHZpZi0+cmVtYWlu
aW5nX2NyZWRpdCA9IH4wVUw7CiAJdmlmLT5jcmVkaXRfdXNlYyAgPSAwVUw7
CiAJaW5pdF90aW1lcigmdmlmLT5jcmVkaXRfdGltZW91dCk7CmRpZmYgLS1n
aXQgYS9kcml2ZXJzL25ldC94ZW4tbmV0YmFjay9uZXRiYWNrLmMgYi9kcml2
ZXJzL25ldC94ZW4tbmV0YmFjay9uZXRiYWNrLmMKaW5kZXggYWUzNGY1Zi4u
M2YwMjFlMCAxMDA2NDQKLS0tIGEvZHJpdmVycy9uZXQveGVuLW5ldGJhY2sv
bmV0YmFjay5jCisrKyBiL2RyaXZlcnMvbmV0L3hlbi1uZXRiYWNrL25ldGJh
Y2suYwpAQCAtNzExLDcgKzcxMSw4IEBAIHN0YXRpYyB2b2lkIHhlbnZpZl90
eF9lcnIoc3RydWN0IHhlbnZpZiAqdmlmLAogc3RhdGljIHZvaWQgeGVudmlm
X2ZhdGFsX3R4X2VycihzdHJ1Y3QgeGVudmlmICp2aWYpCiB7CiAJbmV0ZGV2
X2Vycih2aWYtPmRldiwgImZhdGFsIGVycm9yOyBkaXNhYmxpbmcgZGV2aWNl
XG4iKTsKLQl4ZW52aWZfY2Fycmllcl9vZmYodmlmKTsKKwl2aWYtPmRpc2Fi
bGVkID0gdHJ1ZTsKKwl4ZW52aWZfa2lja190aHJlYWQodmlmKTsKIH0KIAog
c3RhdGljIGludCB4ZW52aWZfY291bnRfcmVxdWVzdHMoc3RydWN0IHhlbnZp
ZiAqdmlmLApAQCAtMTIxMiw3ICsxMjEzLDcgQEAgc3RhdGljIHVuc2lnbmVk
IHhlbnZpZl90eF9idWlsZF9nb3BzKHN0cnVjdCB4ZW52aWYgKnZpZiwgaW50
IGJ1ZGdldCkKIAkJCQkgICB2aWYtPnR4LnNyaW5nLT5yZXFfcHJvZCwgdmlm
LT50eC5yZXFfY29ucywKIAkJCQkgICBYRU5fTkVUSUZfVFhfUklOR19TSVpF
KTsKIAkJCXhlbnZpZl9mYXRhbF90eF9lcnIodmlmKTsKLQkJCWNvbnRpbnVl
OworCQkJYnJlYWs7CiAJCX0KIAogCQl3b3JrX3RvX2RvID0gUklOR19IQVNf
VU5DT05TVU1FRF9SRVFVRVNUUygmdmlmLT50eCk7CkBAIC0xODA4LDcgKzE4
MDksMTggQEAgaW50IHhlbnZpZl9rdGhyZWFkX2d1ZXN0X3J4KHZvaWQgKmRh
dGEpCiAJd2hpbGUgKCFrdGhyZWFkX3Nob3VsZF9zdG9wKCkpIHsKIAkJd2Fp
dF9ldmVudF9pbnRlcnJ1cHRpYmxlKHZpZi0+d3EsCiAJCQkJCSByeF93b3Jr
X3RvZG8odmlmKSB8fAorCQkJCQkgdmlmLT5kaXNhYmxlZCB8fAogCQkJCQkg
a3RocmVhZF9zaG91bGRfc3RvcCgpKTsKKworCQkvKiBUaGlzIGZyb250ZW5k
IGlzIGZvdW5kIHRvIGJlIHJvZ3VlLCBkaXNhYmxlIGl0IGluCisJCSAqIGt0
aHJlYWQgY29udGV4dC4gQ3VycmVudGx5IHRoaXMgaXMgb25seSBzZXQgd2hl
bgorCQkgKiBuZXRiYWNrIGZpbmRzIG91dCBmcm9udGVuZCBzZW5kcyBtYWxm
b3JtZWQgcGFja2V0LAorCQkgKiBidXQgd2UgY2Fubm90IGRpc2FibGUgdGhl
IGludGVyZmFjZSBpbiBzb2Z0aXJxCisJCSAqIGNvbnRleHQgc28gd2UgZGVm
ZXIgaXQgaGVyZS4KKwkJICovCisJCWlmICh1bmxpa2VseSh2aWYtPmRpc2Fi
bGVkICYmIG5ldGlmX2NhcnJpZXJfb2sodmlmLT5kZXYpKSkKKwkJCXhlbnZp
Zl9jYXJyaWVyX29mZih2aWYpOworCiAJCWlmIChrdGhyZWFkX3Nob3VsZF9z
dG9wKCkpCiAJCQlicmVhazsKIAotLSAKMS43LjEwLjQKCg=
--=separator
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users
--=separator--