Bug 1323956 (CVE-2016-3961, xsa174) - CVE-2016-3961 xsa174 xen: hugetlbfs use may crash PV Linux guests (XSA-174)
Summary: CVE-2016-3961 xsa174 xen: hugetlbfs use may crash PV Linux guests (XSA-174)
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-3961, xsa174
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1327219
Blocks: 1323957
TreeView+ depends on / blocked
 
Reported: 2016-04-05 07:42 UTC by Adam Mariš
Modified: 2021-02-17 04:06 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:50:20 UTC
Embargoed:

Attachments (Terms of Use)
Upstream patch for Linux 4.5.x ... 3.10.x (2.51 KB, patch)
2016-04-05 07:47 UTC, Adam Mariš 		no flags Details | Diff
View All

Description Adam Mariš 2016-04-05 07:42:25 UTC 
ISSUE DESCRIPTION
=================

Huge (2Mb) pages are generally unavailable to PV guests.  Since x86
Linux pvops-based kernels are generally multi purpose, they would
normally be built with hugetlbfs support enabled.  Use of that
functionality by an application in a PV guest would cause an
infinite page fault loop, and an OOPS to occur upon an attempt to
terminate the hung application.

IMPACT
======

Depending on the guest kernel configuration, the OOPS could result
in a kernel crash (guest DoS).

VULNERABLE SYSTEMS
==================

All upstream x86 Linux versions operating as PV Xen guests are
vulnerable.

ARM systems are not vulnerable.  x86 HVM guests are not vulnerable.

x86 Linux versions derived from linux-2.6.18-xen.hg (XenoLinux) are not
vulnerable.

Oracle Unbreakable Enterprise Kernels are not vulnerable.

We believe that non-Linux guests are not vulnerable, as we are not
aware of any with an analogous bug.

MITIGATION
==========

Running only HVM guests will avoid this issue.

Not enabling hugetlbfs use, by not altering the boot time default value
of zero in /proc/sys/vm/nr_hugepages (which can only be written by the
root user) will avoid this issue.

It is possible that disabling (or not enabling) the "panic on OOPS"
behavior (via use of the "oops=panic" command line option or the
"panic_on_oops" sysctl) will also avoid this issue, by limiting the
effect to an application crash.  We are not currently sure whether
this is an effective mitigation, as we are not sure whether any locks
or mutexes are held at the point of the crash.

External References:

http://xenbits.xen.org/xsa/advisory-174.html

Acknowledgements:

Name: the Xen project
Comment 1 Adam Mariš 2016-04-05 07:47:49 UTC 
Created attachment 1143682 [details]
Upstream patch for Linux 4.5.x ... 3.10.x
Comment 2 Andrej Nemec 2016-04-14 13:40:21 UTC 
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1327219]
Comment 3 Andrej Nemec 2016-04-14 13:40:51 UTC 
Public via:

http://seclists.org/oss-sec/2016/q2/73
Comment 4 Vitaly Kuznetsov 2016-04-18 12:14:38 UTC 
We should have probably created RHEL6 bug for it as we still support PV guests with it.

The issue was initially reported as a RHEL bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1312331

but it is not linked from here and we'll have to put the fix in z-streams.
Comment 5 Fedora Update System 2016-04-23 23:43:58 UTC 
binutils-2.26-18.fc24, kernel-4.5.2-301.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2016-04-27 21:50:21 UTC 
kernel-4.4.8-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-05-06 19:52:26 UTC 
kernel-4.4.8-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.