Information

Files

Advisory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

             Xen Security Advisory CVE-2024-53240 / XSA-465
                                version 3

                   Backend can crash Linux netfront

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

After a suspend/resume cycle of a Linux guest (e.g. via "virsh dompmsuspend"/
"virsh dompmwakeup") a malicious network backend can crash the guest via a
NULL-pointer dereference in the guest's xen-netfront driver.

During the resume operation the xen-netfront driver will release some data
structures used for communication with the backend, in order to reallocate
these data structures with possibly different parameters specified by the
backend. If the backend is triggering a network device removal in the
guest before any network I/O has happened, the NULL-pointer dereference
may happen, causing a crash of the guest.

IMPACT
======

In setups with non-trusted network backends (e.g. when using untrusted
network driver domains) suspend/resume cycles of guests can result in
those guests being crashed by a malicious network backend.

VULNERABLE SYSTEMS
==================

Only systems with non-trusted network backends are vulnerable.

As far as known only Linux guests with the fix for CVE-2022-48969 applied
are vulnerable (this includes all kernel versions from 6.1 onwards).

All guest types (x86 PV, x86 PVH/HVM and Arm32/Arm64) are vulnerable.

MITIGATION
==========

Not doing guest suspend/resume cycles will avoid the vulnerability.

Using emulated NICs instead of PV ones will avoid the vulnerability.

CREDITS
=======

This issue was discovered by Marek Marczykowski-Górecki of Invisible Things Lab.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa465-linux.patch     Linux

$ sha256sum xsa465*
7207a22e1e70d0b00278d90e797313bee9d72a968ddd38464b90f0612667826e  xsa465-linux.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of patches or mitigations is NOT permitted (except where
all the affected systems and VMs are administered and used only by
organisations which are members of the Xen Project Security Issues
Predisclosure List).  Specifically, deployment on public cloud systems
is NOT permitted.

This is because the patches need to be applied to the guests and using
emulated NICs is a guest visible configuration change.

Deployment is permitted only AFTER the embargo ends.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmdhaw0MHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZ1kYH/3u0RtjvoOLf2CTFAPhBfgVXZ0nbaQAVeVY14OXL
3WAOQzrspobwSJtVUqRCg14NllEkM2ityeAlussY++b9BFW7nqxji9yL/rSMpuPh
vsH/sDByBSUYxpaw/LgbkZVvhRq3vbK6E7fnXCw8BO9LYA+uTZRf4P6PRe0JeQtz
t0IyHsECXaPoSWzX18OtSrg1JFYhgBqB9vK4rKMvMjPpqZDIKlEgIpFwNlywZ6jx
H6T3CCKUPUZqmVegxJtXIof3STEr9bzd4StPaUrRXfToOg5ZsknUkari0Nr8xW27
mcTZaFVWgWwfI0irMs9jTp2agfQ6T+yptA8ZfM3J7kGvGcc=
=+A6o
-----END PGP SIGNATURE-----