Information

AdvisoryXSA-365
Public release 2021-02-16 12:00
Updated 2021-02-16 12:35
Version 3
CVE(s) CVE-2021-26930
Title Linux: error handling issues in blkback's grant mapping

Files

advisory-365.txt (signed advisory file)
xsa365-linux.patch

Advisory


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2021-26930 / XSA-365
                               version 3

        Linux: error handling issues in blkback's grant mapping

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

To service requests, the driver maps grant references provided by the
frontend.  In this process, errors may be encountered.  In one case an
error encountered earlier might be discarded by later processing,
resulting in the caller assuming successful mapping, and hence
subsequent operations trying to access space that wasn't mapped.  In
another case internal state would be insufficiently updated, preventing
safe recovery from the error.

IMPACT
======

A malicious or buggy frontend driver may be able to crash the
corresponding backend driver, potentially affecting the entire domain
running the backend driver.  In configurations without driver domains
or similar disaggregation, that is a host-wide denial of sevice.

Privilege escalation and information leaks cannot be ruled out.

VULNERABLE SYSTEMS
==================

Linux versions from at least 3.11 onwards are vulnerable.

MITIGATION
==========

Reconfiguring guests to use alternative (e.g. qemu-based) backends may
avoid the vulnerability.

CREDITS
=======

This issue was discovered by Olivier Benjamin, Norbert Manthey, Martin
Mazein, and Jan H. Schönherr, all from Amazon.

RESOLUTION
==========

Applying the attached patch resolves this issue.

xsa365-linux.patch           Linux 5.11-rc - 5.10

$ sha256sum xsa365*
7e45fcf3c70eb40debe9997a1773de7c4a2edcde5c23f76aeb5c1b6e3a34a654  xsa365-linux.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches described above (or others which are
substantially similar) is permitted during the embargo, even on
public-facing systems with untrusted guest users and administrators.

HOWEVER, deployment of the non-kernel-based backends mitigation
described above is NOT permitted during the embargo on public-facing
systems with untrusted guest users and administrators.  This is because
such a configuration change may be recognizable by the affected guests.

AND: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmAru/UMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZnpQH/jMHOQao08C5s4VlCUIDJTJ8AZXIjFKW2zOKBqt5
Gp7HiRZSLKa2s/dqxIdiVHTnMzGyFegfzK0AeLjLeftSbOANSvI9tx/S6ajOr6Mx
s5j0r2JzCBsh1bULJbRV7MBVaRqyOR77i3sREu7o0uuRxMd0RNnck7rVm0slmG1P
FoFfC2tF+gxnYZi8tpBS4aY/e3tZ4y+J6s0Fgyfln4p33/j1JwILzzYscGnRdDvG
31DnotOq3E+TqcTZRK4BrLJqZodZLsd9en1DriJj2dDqrobs6QS4sZkHKX20gcxC
RnGvkdHXI+u/du6qpb3GHep2F5pg5+2vMzBNvxxBjr8vmi4=
=HBCB
-----END PGP SIGNATURE-----


Xenproject.org Security Team