Bug 656206 (CVE-2010-4247)

Summary: CVE-2010-4247 xen: request-processing loop is unbounded in blkback
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dhoward, lwang, plyons, pmatouse, rkhan, security-response-team, vkrizan, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 13:23:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 654546, 656208    
Bug Blocks:    

Description Eugene Teo (Security Response) 2010-11-23 08:32:02 UTC 
If the frontend pass a bad index of production request, the backend will enter an endless loop and then cause a excessive CPU consumption.

This issue has been fixed in upstream by:
changeset:   391:77f831cbb91d
user:        Keir Fraser <keir.fraser>
date:        Fri Jan 18 16:52:25 2008 +0000
summary:     blkback: Request-processing loop is unbounded and hence requires a
http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/77f831cbb91d

changeset:   392:7070d34f251c
user:        Keir Fraser <keir.fraser>
date:        Mon Jan 21 11:43:31 2008 +0000
summary:     blkback/blktap: Check for kthread_should_stop() in inner loop,
http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/7070d34f251c

Version-Release number of selected component (if applicable):
2.6.18-194.el5xen

How reproducible:

Steps to Reproduce:
1. build a guest kernel with the patch attached.
2. run domU with the patched kernel

Actual results:
Dom0 got hung.

Expected results:
Dom0 shouldn't be impacted by a bad guest.
Comment 4 errata-xmlrpc 2011-01-04 16:53:13 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0004 https://rhn.redhat.com/errata/RHSA-2011-0004.html