From ${URL} : Xen Security Advisory XSA-90 Linux netback crash trying to disable due to malformed packet ISSUE DESCRIPTION ================= When Linux's netback sees a malformed packet, it tries to disable the interface which serves the misbehaving frontend. This involves taking a mutex, which might sleep. But in recent versions of Linux the guest transmit path is handled by NAPI in softirq context, where sleeping is not allowed. The end result is that the backend domain (often, Dom0) crashes with "scheduling while atomic". IMPACT ====== Malicious guest administrators can cause denial of service. If driver domains are not in use, the impact is a host crash. VULNERABLE SYSTEMS ================== This bug affects systems using Linux as the driver domain, including non-disaggregated systems using Linux as dom0. Only versions of Linux whose netback uses NAPI are affected. In Linux mainline this is all versions of Linux containing git changeset b3f980bd82, which was introduced between Linux 3.11 and 3.12-rc1. Systems using a different OS as dom0 (eg, NetBSD, Solaris) are not vulnerable. Both x86 and ARM systems are affected. MITIGATION ========== Using driver domains may limit the scope of the denial of service, and may make it possible to resume service without restarting guests (by restarting the driver domain). Advice on reconfiguring a system to use driver domains is beyond the reasonable scope of this advisory. In the case of an x86 HVM guest, the exploit can be prevented by disabling the PV IO paths; normally this would come with a substantial performance cost, and it may involve reconfiguring the guest as well as the host. This is not recommended. NOTE REGARDING LACK OF EMBARGO ============================== This bug was publicly reported on xen-devel, before it was appreciated that there was a security problem. The public mailing list thread nevertheless contains information strongly suggestive of a security bug, and a different security bug (with CVE) is suggested as seeming "similar". For these reasons we (the Xen Project Security Team) have concluded that the presence of this bug, as a security problem, is not (any longer) a secret. CREDITS ======= This issue was discovered as a bug by Török Edwin and analysed by Wei Liu of Citrix. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. $ sha256sum xsa90*.patch 07341ffb7f577d32510602797a08009eade817009b425a124413ee743bdb6f05 xsa90.patch $ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This is bug related to xen, but should be handled in the kernel side, so CC @kernel team quote from XSA-90: This patch has also been applied to the network subsystem maintainer's git tree: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=e9d8b2c2968499c1f96563e6522c56958d5a1d0d
CVE-2014-2580 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2580): The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest administrators to cause a denial of service ("scheduling while atomic" error and host crash) via a malformed packet, which causes a mutex to be taken when trying to disable the interface.
this patch already included by kernel upstream in v3.15-rc1, for sys-kernel/gentoo-sources, already include this fix start from version 3.14.4 thanks
Patch for Kernel, outside of GLSA. As per maintainer patch included in kernel.