Bug 1323956 (CVE-2016-3961, xsa174)

Summary: CVE-2016-3961 xsa174 xen: hugetlbfs use may crash PV Linux guests (XSA-174)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, security-response-team, vkuznets
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:50:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1327219    
Bug Blocks: 1323957    
Attachments:
Description Flags
Upstream patch for Linux 4.5.x ... 3.10.x none

Description Adam Mariš 2016-04-05 07:42:25 UTC 
ISSUE DESCRIPTION
=================

Huge (2Mb) pages are generally unavailable to PV guests.  Since x86
Linux pvops-based kernels are generally multi purpose, they would
normally be built with hugetlbfs support enabled.  Use of that
functionality by an application in a PV guest would cause an
infinite page fault loop, and an OOPS to occur upon an attempt to
terminate the hung application.

IMPACT
======

Depending on the guest kernel configuration, the OOPS could result
in a kernel crash (guest DoS).

VULNERABLE SYSTEMS
==================

All upstream x86 Linux versions operating as PV Xen guests are
vulnerable.

ARM systems are not vulnerable.  x86 HVM guests are not vulnerable.

x86 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are not
vulnerable.

Oracle Unbreakable Enterprise Kernels are not vulnerable.

We believe that non-Linux guests are not vulnerable, as we are not
aware of any with an analogous bug.

MITIGATION
==========

Running only HVM guests will avoid this issue.

Not enabling hugetlbfs use, by not altering the boot time default value
of zero in /proc/sys/vm/nr_hugepages (which can only be written by the
root user) will avoid this issue.

It is possible that disabling (or not enabling) the "panic on OOPS"
behavior (via use of the "oops=panic" command line option or the
"panic_on_oops" sysctl) will also avoid this issue, by limiting the
effect to an application crash.  We are not currently sure whether
this is an effective mitigation, as we are not sure whether any locks
or mutexes are held at the point of the crash.

External References:

http://xenbits.xen.org/xsa/advisory-174.html

Acknowledgements:

Name: the Xen project
Comment 1 Adam Mariš 2016-04-05 07:47:49 UTC 
Created attachment 1143682 [details]
Upstream patch for Linux 4.5.x ... 3.10.x
Comment 2 Andrej Nemec 2016-04-14 13:40:21 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1327219]
Comment 3 Andrej Nemec 2016-04-14 13:40:51 UTC 
Public via:

http://seclists.org/oss-sec/2016/q2/73
Comment 4 Vitaly Kuznetsov 2016-04-18 12:14:38 UTC 
We should have probably created RHEL6 bug for it as we still support PV guests with it.

The issue was initially reported as a RHEL bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1312331

but it is not linked from here and we'll have to put the fix in z-streams.
Comment 5 Fedora Update System 2016-04-23 23:43:58 UTC 
binutils-2.26-18.fc24, kernel-4.5.2-301.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2016-04-27 21:50:21 UTC 
kernel-4.4.8-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-05-06 19:52:26 UTC 
kernel-4.4.8-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.