Bug 869925 (CVE-2014-2580) - VUL-0: CVE-2014-2580: kernel: xen: XSA-90: netback crash trying to disable due to malformed packet
Summary: VUL-0: CVE-2014-2580: kernel: xen: XSA-90: netback crash trying to disable du...
Status: RESOLVED FIXED
Alias: CVE-2014-2580
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Charles Arnold
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/97282/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-24 13:19 UTC by Marcus Meissner
Modified: 2014-04-29 08:25 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xsa90.patch (4.01 KB, patch)
2014-03-24 13:20 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-24 13:19:26 UTC 
via oss-sec

From: "Xen.org security team" <security@xen.org>
Date: Mon, 24 Mar 2014 13:01:09 +0000
Subject: [oss-security] Xen Security Advisory 90 - Linux netback crash trying to disable due to malformed packet


                    Xen Security Advisory XSA-90

      Linux netback crash trying to disable due to malformed packet

ISSUE DESCRIPTION
=================

When Linux's netback sees a malformed packet, it tries to disable the
interface which serves the misbehaving frontend.

This involves taking a mutex, which might sleep.  But in recent
versions of Linux the guest transmit path is handled by NAPI in
softirq context, where sleeping is not allowed.  The end result is
that the backend domain (often, Dom0) crashes with "scheduling while
atomic".

IMPACT
======

Malicious guest administrators can cause denial of service.  If driver
domains are not in use, the impact is a host crash.

VULNERABLE SYSTEMS
==================

This bug affects systems using Linux as the driver domain, including
non-disaggregated systems using Linux as dom0.

Only versions of Linux whose netback uses NAPI are affected.  In Linux
mainline this is all versions of Linux containing git changeset
b3f980bd82, which was introduced between Linux 3.11 and 3.12-rc1.

Systems using a different OS as dom0 (eg, NetBSD, Solaris) are not
vulnerable.

Both x86 and ARM systems are affected.

MITIGATION
==========

Using driver domains may limit the scope of the denial of service, and
may make it possible to resume service without restarting guests (by
restarting the driver domain).  Advice on reconfiguring a system to
use driver domains is beyond the reasonable scope of this advisory.

In the case of an x86 HVM guest, the exploit can be prevented by
disabling the PV IO paths; normally this would come with a substantial
performance cost, and it may involve reconfiguring the guest as well
as the host.  This is not recommended.

NOTE REGARDING LACK OF EMBARGO
==============================

This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem.  The public mailing list thread
nevertheless contains information strongly suggestive of a security
bug, and a different security bug (with CVE) is suggested as seeming
"similar".

For these reasons we (the Xen Project Security Team) have concluded
that the presence of this bug, as a security problem, is not (any
longer) a secret.

CREDITS
=======

This issue was discovered as a bug by Török Edwin and analysed by
Wei Liu of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

$ sha256sum xsa90*.patch
07341ffb7f577d32510602797a08009eade817009b425a124413ee743bdb6f05  xsa90.patch
$



References:
http://comments.gmane.org/gmane.comp.security.oss.general/12431
Comment 1 Marcus Meissner 2014-03-24 13:20:16 UTC 
Created attachment 583370 [details]
xsa90.patch

patch that was attached
Comment 3 Jan Beulich 2014-03-24 15:29:45 UTC 
Afaict we aren't: Our netback didn't get switched to NAPI mode (yet), and hence from all I can tell we're unaffected.
Comment 4 Swamp Workflow Management 2014-03-24 23:00:28 UTC 
bugbot adjusting priority
Comment 5 Marcus Meissner 2014-03-25 07:44:38 UTC 
CVE-2014-2580
Comment 6 Marcus Meissner 2014-03-25 09:32:01 UTC 
add to mainline kernel:

commit b3f980bd827e6e81a050c518d60ed7811a83061d
Author: Wei Liu <wei.liu2@citrix.com>
Date:   Mon Aug 26 12:59:38 2013 +0100

    xen-netback: switch to NAPI + kthread 1:1 model

even after openSUSE 13.1.

Someone needs to check SLE12 though.

(If this is a kernel thing, please assign to kernel-maintainers)
Comment 7 Alexander Bergmann 2014-04-28 15:53:14 UTC 
Jan, can you check if this needs to be addressed by the kernel team, or are we not affected at all and this can be closed?
Comment 8 Jan Beulich 2014-04-29 07:28:17 UTC 
Not sure why you're asking me again - I already stated my perspective in #3: No shipping product of ours, to my knowledge, contains netback drivers built from the upstream sources (the ARM configs do in 13.1 and Factory, but I don't think we formally support Xen on ARM at this point).
Comment 9 Alexander Bergmann 2014-04-29 08:25:05 UTC 
Thanks Jan.

I've checked and the fix is already committed to SLE12.

commit 699dfec4e90e73bac6455560187c34f77115bc2f
Author: Wei Liu <wei.liu2@citrix.com>
Date:   Tue Apr 1 12:46:12 2014 +0100

    xen-netback: disable rogue vif in kthread context
    
    [ Upstream commit e9d8b2c2968499c1f96563e6522c56958d5a1d0d ]


Therefore closing this bug now.