Bug 2034940 (CVE-2021-28711, CVE-2021-28712, CVE-2021-28713, XSA-391)

Summary: CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 xen: rogue backends can cause DoS of guests via high frequency events
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, bdettelb, bhu, brdeoliv, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hkrzesin, jarod, jburrell, jfaracco, jforbes, jlelli, jshortt, jstancek, kcarcia, kernel-mgr, lgoncalv, lzampier, m.a.young, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 5.16-rc7 Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw for virtual machine guests in the Linux kernel's Xen hypervisor subsystem was found in the way users call some interrupts with high frequency from one of the guests. A local user could use this flaw to starve the resources resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-22 15:19:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2034941, 2036918, 2036919, 2036921, 2037393, 2037394    
Bug Blocks: 2034965    

Description Guilherme de Almeida Suckevicz 2021-12-22 14:29:08 UTC 
Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system.

However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time.

There are three affected backends:
 * blkfront          patch 1, CVE-2021-28711
 * netfront          patch 2, CVE-2021-28712
 * hvc_xen (console) patch 3, CVE-2021-28713

Reference:
https://xenbits.xen.org/xsa/advisory-391.html
Comment 1 Guilherme de Almeida Suckevicz 2021-12-22 14:29:20 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 2034941]
Comment 2 Product Security DevOps Team 2021-12-22 15:19:55 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.