Bug 974041 (CVE-2016-3961) - VUL-0: CVE-2016-3961: kernel, xen: hugetlbfs use may crash PV Linux guests (XSA-174)
Summary: VUL-0: CVE-2016-3961: kernel, xen: hugetlbfs use may crash PV Linux guests (X...
Status: RESOLVED INVALID
Alias: CVE-2016-3961
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:RedHat:CVE-2016-3961:5.2:(AV:A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-05 11:14 UTC by Johannes Segitz
Modified: 2016-07-21 10:21 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Johannes Segitz 2016-04-05 11:16:07 UTC 
CRD: 2016-04-14 12:00 UTC
Comment 3 Swamp Workflow Management 2016-04-05 22:01:10 UTC 
bugbot adjusting priority
Comment 4 Johannes Segitz 2016-04-06 13:55:03 UTC 
CVE-2016-3961 was assigned
Comment 8 Jan Beulich 2016-04-13 03:51:29 UTC 
Yes, that's what this means (and why I have removed myself from Cc here).
Comment 9 Marcus Meissner 2016-04-14 15:19:18 UTC 
is public

            Xen Security Advisory CVE-2016-3961 / XSA-174
                              version 3

                hugetlbfs use may crash PV Linux guests

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Huge (2Mb) pages are generally unavailable to PV guests.  Since x86
Linux pvops-based kernels are generally multi purpose, they would
normally be built with hugetlbfs support enabled.  Use of that
functionality by an application in a PV guest would cause an
infinite page fault loop, and an OOPS to occur upon an attempt to
terminate the hung application.

IMPACT
======

Depending on the guest kernel configuration, the OOPS could result
in a kernel crash (guest DoS).

VULNERABLE SYSTEMS
==================

All upstream x86 Linux versions operating as PV Xen guests are
vulnerable.

ARM systems are not vulnerable.  x86 HVM guests are not vulnerable.

x86 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are not
vulnerable.

Oracle Unbreakable Enterprise Kernels are not vulnerable.

We believe that non-Linux guests are not vulnerable, as we are not
aware of any with an analogous bug.

MITIGATION
==========

Running only HVM guests will avoid this issue.

Not enabling hugetlbfs use, by not altering the boot time default value
of zero in /proc/sys/vm/nr_hugepages (which can only be written by the
root user) will avoid this issue.

It is possible that disabling (or not enabling) the "panic on OOPS"
behavior (via use of the "oops=panic" command line option or the
"panic_on_oops" sysctl) will also avoid this issue, by limiting the
effect to an application crash.  We are not currently sure whether
this is an effective mitigation, as we are not sure whether any locks
or mutexes are held at the point of the crash.

CREDITS
=======

This issue was discovered by Vitaly Kuznetsov from Red Hat.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa174.patch           Linux 4.5.x ... 3.10.x

$ sha256sum xsa174*
cbec70e183f76b4081ebba05c0a8105bd4952d164a2e5c40528c05bf8861ddef  xsa174.patch
$
Comment 11 Johannes Segitz 2016-07-21 10:17:41 UTC 
not affected anywhere