Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 579068 (CVE-2016-3961, XSA-174) - app-emulation/xen, app-emulation/xen-tools: hugetlbfs use may crash PV Linux guests - XSA-174 (CVE-2016-3961)
Summary: app-emulation/xen, app-emulation/xen-tools: hugetlbfs use may crash PV Linux ...
Status: RESOLVED FIXED
Alias: CVE-2016-3961, XSA-174
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL:
Whiteboard: C3 [cve upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-05 05:06 UTC by Yury German
Modified: 2019-03-27 23:43 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2016-04-05 05:06:32 UTC
Xen Security Advisory XSA-174

                hugetlbfs use may crash PV Linux guests

              *** EMBARGOED UNTIL 2016-04-14 12:00 UTC ***

ISSUE DESCRIPTION
=================

Huge (2Mb) pages are generally unavailable to PV guests.  Since x86
Linux pvops-based kernels are generally multi purpose, they would
normally be built with hugetlbfs support enabled.  Use of that
functionality by an application in a PV guest would cause an
infinite page fault loop, and an OOPS to occur upon an attempt to
terminate the hung application.

IMPACT
======

Depending on the guest kernel configuration, the OOPS could result
in a kernel crash (guest DoS).

VULNERABLE SYSTEMS
==================

All upstream x86 Linux versions operating as PV Xen guests are
vulnerable.

ARM systems are not vulnerable.  x86 HVM guests are not vulnerable.

x86 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are not
vulnerable.

Oracle Unbreakable Enterprise Kernels are not vulnerable.

We believe that non-Linux guests are not vulnerable, as we are not
aware of any with an analogous bug.

MITIGATION
==========

Running only HVM guests will avoid this issue.

Not enabling hugetlbfs use, by not altering the boot time default value
of zero in /proc/sys/vm/nr_hugepages (which can only be written by the
root user) will avoid this issue.

It is possible that disabling (or not enabling) the "panic on OOPS"
behavior (via use of the "oops=panic" command line option or the
"panic_on_oops" sysctl) will also avoid this issue, by limiting the
effect to an application crash.  We are not currently sure whether
this is an effective mitigation, as we are not sure whether any locks
or mutexes are held at the point of the crash.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa174.patch           Linux 4.5.x ... 3.10.x

$ sha256sum xsa174*
1d8da3ea221b7d38df8330650f6e455df5431760d695e7dd6384e2725dcf5b25  xsa174.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because such host configuration changes would be user mode
visible, which could lead to the rediscovery of the vulnerability.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-04-18 20:46:19 UTC
CVE-2016-3961 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3961):
  Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs
  support in x86 PV guests, which allows local PV guest users to cause a
  denial of service (guest OS crash) by attempting to access a hugetlbfs
  mapped area.
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2016-04-23 10:24:13 UTC
This patch is not for app-emulation/xen. The patch is a kernel patch
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2016-04-26 05:45:40 UTC
Re-Assigning to kernel team.
Comment 4 Thomas Deutschmann gentoo-dev Security 2016-11-21 17:43:40 UTC
The patch is already present in

>=linux-3.2.81
>=linux-3.16.36
>=linux-3.18.33
>=linux-4.1.24
>=linux-4.4.9

however it is missing from LTS kernels

- linux-3.4
- linux-3.10
- linux-3.12

I contacted linux stable mailing list. Patch is already queued for next linux-3.10 kernel. So we should make a progress when the next LTS kernels are out.
Comment 5 Tomáš Mózes 2018-12-10 09:41:29 UTC
Security, can you please close this obsolete one? Thanks