Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505552 (CVE-2014-2580) - app-emulation/xen : Linux netback crash trying to disable due to malformed packetXSA-90) (CVE-2014-2580)
Summary: app-emulation/xen : Linux netback crash trying to disable due to malformed pa...
Status: RESOLVED FIXED
Alias: CVE-2014-2580
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-24 14:23 UTC by Agostino Sarubbo
Modified: 2015-04-05 04:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-24 14:23:03 UTC
From ${URL} :

                    Xen Security Advisory XSA-90

      Linux netback crash trying to disable due to malformed packet

ISSUE DESCRIPTION
=================

When Linux's netback sees a malformed packet, it tries to disable the
interface which serves the misbehaving frontend.

This involves taking a mutex, which might sleep.  But in recent
versions of Linux the guest transmit path is handled by NAPI in
softirq context, where sleeping is not allowed.  The end result is
that the backend domain (often, Dom0) crashes with "scheduling while
atomic".

IMPACT
======

Malicious guest administrators can cause denial of service.  If driver
domains are not in use, the impact is a host crash.

VULNERABLE SYSTEMS
==================

This bug affects systems using Linux as the driver domain, including
non-disaggregated systems using Linux as dom0.

Only versions of Linux whose netback uses NAPI are affected.  In Linux
mainline this is all versions of Linux containing git changeset
b3f980bd82, which was introduced between Linux 3.11 and 3.12-rc1.

Systems using a different OS as dom0 (eg, NetBSD, Solaris) are not
vulnerable.

Both x86 and ARM systems are affected.

MITIGATION
==========

Using driver domains may limit the scope of the denial of service, and
may make it possible to resume service without restarting guests (by
restarting the driver domain).  Advice on reconfiguring a system to
use driver domains is beyond the reasonable scope of this advisory.

In the case of an x86 HVM guest, the exploit can be prevented by
disabling the PV IO paths; normally this would come with a substantial
performance cost, and it may involve reconfiguring the guest as well
as the host.  This is not recommended.

NOTE REGARDING LACK OF EMBARGO
==============================

This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem.  The public mailing list thread
nevertheless contains information strongly suggestive of a security
bug, and a different security bug (with CVE) is suggested as seeming
"similar".

For these reasons we (the Xen Project Security Team) have concluded
that the presence of this bug, as a security problem, is not (any
longer) a secret.

CREDITS
=======

This issue was discovered as a bug by Török Edwin and analysed by
Wei Liu of Citrix.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

$ sha256sum xsa90*.patch
07341ffb7f577d32510602797a08009eade817009b425a124413ee743bdb6f05  xsa90.patch
$



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yixun Lan archtester gentoo-dev 2014-04-08 23:36:37 UTC
This is bug related to xen, but should be handled in the kernel side, so CC @kernel team

quote from XSA-90:
This patch has also been applied to the network subsystem maintainer's git tree:
https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=e9d8b2c2968499c1f96563e6522c56958d5a1d0d
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:26:13 UTC
CVE-2014-2580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2580):
  The netback driver in Xen, when using certain Linux versions that do not
  allow sleeping in softirq context, allows local guest administrators to
  cause a denial of service ("scheduling while atomic" error and host crash)
  via a malformed packet, which causes a mutex to be taken when trying to
  disable the interface.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-04-28 19:26:13 UTC
CVE-2014-2580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2580):
  The netback driver in Xen, when using certain Linux versions that do not
  allow sleeping in softirq context, allows local guest administrators to
  cause a denial of service ("scheduling while atomic" error and host crash)
  via a malformed packet, which causes a mutex to be taken when trying to
  disable the interface.
Comment 4 Yixun Lan archtester gentoo-dev 2014-06-11 03:01:33 UTC
this patch already included by kernel upstream in v3.15-rc1, for sys-kernel/gentoo-sources, already include this fix start from version 3.14.4

thanks
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-04-05 04:06:56 UTC
Patch for Kernel, outside of GLSA.

As per maintainer patch included in kernel.