Information

Advisory XSA-90
Public release 2014-03-24 13:00
Updated 2014-04-02 11:49
Version 2
CVE(s) CVE-2014-2580
Title Linux netback crash trying to disable due to malformed packet

Files

advisory-90.txt (signed advisory file)
xsa90.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

             Xen Security Advisory CVE-2014-2580 / XSA-90
                              version 2

      Linux netback crash trying to disable due to malformed packet

UPDATES IN VERSION 2
====================

This issue has been assigned CVE-2014-2580.

A fix has been accepted into the Linux network subsystem maintainer's
tree.  The final fix differs substantially from the initial patch,
which calls xenvif_carrier_off from an invalid context resulting in a
kernel panic in the backend.  The updated patch defers this work to
kthread context and ensures that no traffic is processed in the
meantime.

The attached patches have been updated accordingly.  Since the patch
in v1 of the advisory does not eliminate the vulnerability, users are
strongly encouraged to update to the latest patch.

ISSUE DESCRIPTION
=================

When Linux's netback sees a malformed packet, it tries to disable the
interface which serves the misbehaving frontend.

This involves taking a mutex, which might sleep.  But in recent
versions of Linux the guest transmit path is handled by NAPI in
softirq context, where sleeping is not allowed.  The end result is
that the backend domain (often, Dom0) crashes with "scheduling while
atomic".

IMPACT
======

Malicious guest administrators can cause denial of service.  If driver
domains are not in use, the impact is a host crash.

VULNERABLE SYSTEMS
==================

This bug affects systems using Linux as the driver domain, including
non-disaggregated systems using Linux as dom0.

Only versions of Linux whose netback uses NAPI are affected.  In Linux
mainline this is all versions of Linux containing git changeset
b3f980bd82, which was introduced between Linux 3.11 and 3.12-rc1.

Systems using a different OS as dom0 (eg, NetBSD, Solaris) are not
vulnerable.

Both x86 and ARM systems are affected.

MITIGATION
==========

Using driver domains may limit the scope of the denial of service, and
may make it possible to resume service without restarting guests (by
restarting the driver domain).  Advice on reconfiguring a system to
use driver domains is beyond the reasonable scope of this advisory.

In the case of an x86 HVM guest, the exploit can be prevented by
disabling the PV IO paths; normally this would come with a substantial
performance cost, and it may involve reconfiguring the guest as well
as the host.  This is not recommended.

NOTE REGARDING LACK OF EMBARGO
==============================

This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem.  The public mailing list thread
nevertheless contains information strongly suggestive of a security
bug, and a different security bug (with CVE) is suggested as seeming
"similar".

For these reasons we (the Xen Project Security Team) have concluded
that the presence of this bug, as a security problem, is not (any
longer) a secret.

CREDITS
=======

This issue was discovered as a bug by Török Edwin and analysed by
Wei Liu of Citrix.

RESOLUTION
==========

Applying the attached patch resolves this issue.

$ sha256sum xsa90*.patch
364d94db6dc2b151eb1bb359dc90c71cbb8c5e3dc99b73fc01d981c018777ff4  xsa90.patch
$

This patch has also been applied to the network subsystem maintainer's git tree:
https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=e9d8b2c2968499c1f96563e6522c56958d5a1d0d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTO/lVAAoJEIP+FMlX6CvZkYAH/1DY0nKcCsG718IFOdtuu1LA
tWhoEACOkqCrqfg/L/6/Tljd0okBlOa15v9amBAJvy7amxAIzlGHDgD3BgQ1w5Te
Rc+GDVIoHhYq/LdqSj2Jr4TFXCuekOxTER3idvg+E1RrCOoEqNEFbIKey16vo/ll
tn7qKs+qZ7LlQHhjLmwFuDfSromYzOoSiS43nqy4vFHgFXC1Zmk/K8p8DLHxz92y
gt6EvMdoDIdgk9hZdLkRIPlqvprV6wQ69pX3MVB6WKIWwW6OYDxbMLfICbubESST
7af33QABFimadkalnN+4+xGblS1WRC5wz2XpSfNNe1bbaKkbPhXe7o9j0+mLX8g=
=FL5w
-----END PGP SIGNATURE-----

Xenproject.org Security Team