Bug 1183071 (CVE-2021-28039)

Summary: VUL-0: CVE-2021-28039: xen: Linux: special config may crash when trying to map foreign pages (XSA-369)
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpetkov, carnold, gianluca.gabrielli, jgross
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2021-28039:6.5:(AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2021-03-05 08:48:14 UTC
Created attachment 846821 [details]

Xen Security Advisory XSA-369

   Linux: special config may crash when trying to map foreign pages


CONFIG_XEN_UNPOPULATED_ALLOC enabled the Linux kernel will use guest
physical addresses allocated via the ZONE_DEVICE functionality for
mapping foreign guest's pages.

This will result in problems, as the p2m list will only cover the initial
memory size of the domain plus some padding at the end. Most ZONE_DEVICE
allocated addresses will be outside the p2m range and thus a mapping can't
be established with those memory addresses, resulting in a crash.

The attack involves doing I/O requiring large amounts of data to be
mapped by the Dom0 or driver domain.  The amount of data needed to
result in a crash can vary depending on the memory layout of the
affected Dom0 or driver domain.


A Dom0 or driver domain based on a Linux kernel (configured as
described above) can be crashed by a malicious guest administrator, or
possibly malicious unprivileged guest processes.


Only x86 paravirtualized (PV) Dom0 or driver domains are

Only Linux kernels configured *with* CONFIG_XEN_UNPOPULATED_ALLOC and
*without* CONFIG_XEN_BALLOON_MEMORY_HOTPLUG are vulnerable.  Only
kernels from kernel version 5.9 onwards are affected.

CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is enabled by default in upstream
Linux when Xen support is enabled, so kernels using upstream default
Kconfig are not affected.  Most distribution kernels supporting Xen
dom0 use are likewise not vulnerable.

Arm systems or x86 PVH or x86 HVM driver domains are not affected.


There is no mitigation available.


Applying the appropriate attached patch resolves this issue.

xsa369-linux.patch           Linux 5.9-stable - 5.12-rc

$ sha256sum xsa369*
937df4f078a070cf47bdd718c6b8a042ec6bee255eedc422d833c2ae3dd561c7  xsa369-linux.patch


This issue was discovered by Marek Marczykowski-Górecki of Invisible
Things Lab.

For patch:
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>


This was reported publicly multiple times, before the XSA could be
Comment 3 Robert Frohl 2021-03-05 09:28:34 UTC
@kernel-bugs: also looks like a duplicate, for bsc#1183035
Comment 5 Jürgen Groß 2021-03-05 09:56:05 UTC
As only kernels from 5.9 onwards are affected, I don't see any action on our side to be necessary.
Comment 6 Borislav Petkov 2021-03-05 11:19:59 UTC
(In reply to Jürgen Groß from comment #5)
> As only kernels from 5.9 onwards are affected, I don't see any action on our
> side to be necessary.

What about the master and stable branches? Or we don't support them with Xen?
Comment 7 Jürgen Groß 2021-03-05 11:26:35 UTC
master and stable will get the fix rather soon via upstream. The patches have already been taken there.

The issue itself is of rather low severity and our default kernel config is not affected by the issue.
Comment 8 Borislav Petkov 2021-03-05 11:32:12 UTC
Ok, good, I guess we're done here then. Bouncing back.
Comment 9 Robert Frohl 2021-03-08 09:14:14 UTC
*** Bug 1183035 has been marked as a duplicate of this bug. ***
Comment 10 Robert Frohl 2022-01-11 14:10:00 UTC
nothing to do, closing