Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1323956 - (CVE-2016-3961, xsa174) CVE-2016-3961 xsa174 xen: hugetlbfs use may crash PV Linux guests (XSA-174)
CVE-2016-3961 xsa174 xen: hugetlbfs use may crash PV Linux guests (XSA-174)
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160414,repor...
: Security
Depends On: 1327219
Blocks: 1323957
  Show dependency treegraph
 
Reported: 2016-04-05 03:42 EDT by Adam Mariš
Modified: 2016-05-06 15:52 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch for Linux 4.5.x ... 3.10.x (2.51 KB, patch)
2016-04-05 03:47 EDT, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2016-04-05 03:42:25 EDT
ISSUE DESCRIPTION
=================

Huge (2Mb) pages are generally unavailable to PV guests.  Since x86
Linux pvops-based kernels are generally multi purpose, they would
normally be built with hugetlbfs support enabled.  Use of that
functionality by an application in a PV guest would cause an
infinite page fault loop, and an OOPS to occur upon an attempt to
terminate the hung application.

IMPACT
======

Depending on the guest kernel configuration, the OOPS could result
in a kernel crash (guest DoS).

VULNERABLE SYSTEMS
==================

All upstream x86 Linux versions operating as PV Xen guests are
vulnerable.

ARM systems are not vulnerable.  x86 HVM guests are not vulnerable.

x86 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are not
vulnerable.

Oracle Unbreakable Enterprise Kernels are not vulnerable.

We believe that non-Linux guests are not vulnerable, as we are not
aware of any with an analogous bug.

MITIGATION
==========

Running only HVM guests will avoid this issue.

Not enabling hugetlbfs use, by not altering the boot time default value
of zero in /proc/sys/vm/nr_hugepages (which can only be written by the
root user) will avoid this issue.

It is possible that disabling (or not enabling) the "panic on OOPS"
behavior (via use of the "oops=panic" command line option or the
"panic_on_oops" sysctl) will also avoid this issue, by limiting the
effect to an application crash.  We are not currently sure whether
this is an effective mitigation, as we are not sure whether any locks
or mutexes are held at the point of the crash.

External References:

http://xenbits.xen.org/xsa/advisory-174.html

Acknowledgements:

Name: the Xen project
Comment 1 Adam Mariš 2016-04-05 03:47 EDT
Created attachment 1143682 [details]
Upstream patch for Linux 4.5.x ... 3.10.x
Comment 2 Andrej Nemec 2016-04-14 09:40:21 EDT
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1327219]
Comment 3 Andrej Nemec 2016-04-14 09:40:51 EDT
Public via:

http://seclists.org/oss-sec/2016/q2/73
Comment 4 Vitaly Kuznetsov 2016-04-18 08:14:38 EDT
We should have probably created RHEL6 bug for it as we still support PV guests with it.

The issue was initially reported as a RHEL bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1312331

but it is not linked from here and we'll have to put the fix in z-streams.
Comment 5 Fedora Update System 2016-04-23 19:43:58 EDT
binutils-2.26-18.fc24, kernel-4.5.2-301.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2016-04-27 17:50:21 EDT
kernel-4.4.8-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-05-06 15:52:26 EDT
kernel-4.4.8-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.