Bug 1970536 (CVE-2021-28691)

Summary: CVE-2021-28691 xen: guest triggered use-after-free in Linux xen-netback (XSA-374)
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bskeggs, hdegoede, jarodwilson, jeremy, jforbes, jglisse, jonathan, josef, jwboyer, kernel-maint, lgoncalv, linville, masami256, m.a.young, mchehab, ptalbert, steved
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-10 21:04:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1970537, 1971599    
Bug Blocks: 1970612    

Description Guilherme de Almeida Suckevicz 2021-06-10 16:29:31 UTC 
A malicious or buggy network PV frontend can force Linux netback to disable the interface and terminate the receive kernel thread associated with queue 0 in response to the frontend sending a malformed packet. Such kernel thread termination will lead to a use-after-free in Linux netback when the backend is destroyed, as the kernel thread associated with queue 0 will have already exited and thus the call to kthread_stop will be performed against a stale pointer.

Reference:
https://xenbits.xen.org/xsa/advisory-374.html
Comment 1 Guilherme de Almeida Suckevicz 2021-06-10 16:30:02 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1970537]
Comment 2 Product Security DevOps Team 2021-06-10 21:04:03 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 3 Petr Matousek 2021-06-14 12:21:10 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1971599]
Comment 4 Justin M. Forbes 2021-06-15 15:33:02 UTC 
This was fixed for Fedora with the 5.12.10 stable kernel updates.