Use after free triggered by block frontend in Linux blkback

2020-12-1512:00:00

Xen Project

xenbits.xen.org

8.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0004 Low

EPSS

Percentile

13.3%

JSON

ISSUE DESCRIPTION

The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggle between the states connect and disconnect.
As a consequence, the block backend may re-use a pointer after it was freed.

IMPACT

A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privileged escalation and information leak cannot be ruled out.

VULNERABLE SYSTEMS

Systems using Linux blkback are vulnerable. This includes most systems with a Linux dom0, or Linux driver domains.
Linux versions containing a24fa22ce22a (“xen/blkback: don’t use xen_blkif_get() in xen-blkback kthread”), or its backports, are vulnerable. This includes all current linux-stable branches back to at least linux-stable/linux-4.4.y.
When the Xen PV block backend is provided by userspace (eg qemu), that backend is not vulnerable. So configurations where the xl.cfg domain configuration file specifies all disks with backendtype=“qdisk” are not vulnerable.
The Linux blkback only supports raw format images, so when all disks have a format than format=“raw”, the system is not vulnerable.