Operating System:

[LINUX][Virtual]

Published:

05 March 2021

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2021.0801 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0801
     Linux: special config may crash when trying to map foreign pages
                               5 March 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Xen
Publisher:         Xen
Operating System:  Xen
                   Linux variants
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://xenbits.xen.org/xsa/advisory-369.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                    Xen Security Advisory XSA-369

   Linux: special config may crash when trying to map foreign pages

ISSUE DESCRIPTION
=================

With CONFIG_XEN_BALLOON_MEMORY_HOTPLUG disabled and
CONFIG_XEN_UNPOPULATED_ALLOC enabled the Linux kernel will use guest
physical addresses allocated via the ZONE_DEVICE functionality for
mapping foreign guest's pages.

This will result in problems, as the p2m list will only cover the initial
memory size of the domain plus some padding at the end. Most ZONE_DEVICE
allocated addresses will be outside the p2m range and thus a mapping can't
be established with those memory addresses, resulting in a crash.

The attack involves doing I/O requiring large amounts of data to be
mapped by the Dom0 or driver domain.  The amount of data needed to
result in a crash can vary depending on the memory layout of the
affected Dom0 or driver domain.

IMPACT
======

A Dom0 or driver domain based on a Linux kernel (configured as
described above) can be crashed by a malicious guest administrator, or
possibly malicious unprivileged guest processes.

VULNERABLE SYSTEMS
==================

Only x86 paravirtualized (PV) Dom0 or driver domains are
affected.

Only Linux kernels configured *with* CONFIG_XEN_UNPOPULATED_ALLOC and
*without* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG are vulnerable.  Only
kernels from kernel version 5.9 onwards are affected.

CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is enabled by default in upstream
Linux when Xen support is enabled, so kernels using upstream default
Kconfig are not affected.  Most distribution kernels supporting Xen
dom0 use are likewise not vulnerable.

Arm systems or x86 PVH or x86 HVM driver domains are not affected.

MITIGATION
==========

There is no mitigation available.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa369-linux.patch           Linux 5.9-stable - 5.12-rc

$ sha256sum xsa369*
937df4f078a070cf47bdd718c6b8a042ec6bee255eedc422d833c2ae3dd561c7  xsa369-linux.patch
$

CREDITS
=======

This issue was discovered by Marek Marczykowski-Gorecki of Invisible
Things Lab.

For patch:
Reported-by: Marek Marczykowski-Gorecki <marmarek@invisiblethingslab.com>

NOTE REGARDING LACK OF EMBARGO
==============================

This was reported publicly multiple times, before the XSA could be
issued.
- -----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmBAvMQMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ5PoH/2EY28X1Fe+2RW5SrnAo2dZWLXeIrXQIXbsDCdlI
GKhFChUhYHJP3wLhE4F7J5SAjl48ta/gtdpbpJWXsZSS+2KIdV/dDZ3ZA6cxWFAI
DuVvqqt5O0xpF02bgTZrL1GUL8975L0O7cwtGmsIbPjVSF5UktuLS0Q1zRAiYvG9
l5Xu32nekxz2fGebMYrJTIPYNc8LOg3d+MIAE4W1u3Wj46S8yRJhyNQmsPQXZTEk
nlTp0ed8ScAt7pIZn7dbnLz8zUAQ64h2yar0UBih51kd3Bss5E4PXsS0zlXlVNfk
046nBhbFfB3dgM49NlJ3oHhiZh6dN5LpMblmGK4Tb+FJqNE=
=QwG+
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYEF93+NLKJtyKPYoAQh1jRAAs1yCb2oACkm9g+49pUWVFqo+I8XZ7GSx
u4Xw13uie//SJINBgHm3uprQn4to/p7lnhFw2eCFBeCpUwcp4W8C+k90FEkZ4Dwn
Xaan9gniuQ9v7BoRwz3PHQXulZDo6m5SPHGzFIIVAS/b75S1NZJalejyvSrAvVTR
wmCr9E7Wj2idZ0UgO0TWZ0RxGuJ0SxpdifGC4C6hkOECnIvl9l03hHhWs6UCTTqK
bWw2ApLOBTjcjq8ZNxz+wSIJtnKAjAOGDoGEFdS+2HU2CpQ6qmDGNax1f67B4nBP
oqybe1MpUy9pHLAs0hUsUHuRa6jv5PbWTCyPWKib/kVaR/XUzP3jxZeqqi72g/BP
My1QShZ7rBgzQyvOTZq0VlsIxRpZzcQ2ifCIFANk1m+C/s9pig8cxcZ6CvAL9/AW
UjIxNgE/+hn0/PxJ7Jk1B/9DxC9qvWyTKfvblV4alXnBliTxZwxyIJQPp6ylC4ca
g4N9HNvLUs7imMgOET1sK0lvu6TjnoXupSo5ZfDd/PaLkRCvx+0mdgNt5Cfdxkuq
1RiOPaCAssU5moneQ0wHNWuRqxUy45hT8FjqRkeS/GfrVviQ696VRudhZJuns7sG
c9sZRIQupnN4R1DhKGF1eD3lUF7UiX4lXbLHU69GpffmTzHmCkkpiY9ZnGdXluli
LDF+eKsm+I4=
=NAAC
-----END PGP SIGNATURE-----