|Package(s):||kernel||CVE #(s):||CVE-2014-2580 CVE-2014-0077 CVE-2014-2568|
|Created:||April 4, 2014||Updated:||April 9, 2014|
|Description:||From the Red Hat bugzilla entries [1, 2, 3]:
CVE-2014-2580: When Linux's netback sees a malformed packet, it tries to disable the interface which serves the misbehaving frontend. This involves taking a mutex, which might sleep. But in recent versions of Linux the guest transmit path is handled by NAPI in softirq context, where sleeping is not allowed. The end result is that the backend domain (often, Dom0) crashes with "scheduling while atomic". Malicious guest administrators can cause denial of service. If driver domains are not in use, the impact is a host crash.
CVE-2014-0077: A flaw was found in the way handle_rx() function handled big packets when mergeable buffers were disabled. A privileged user in the guest could use this flaw to crash the host, or, potentially, escalate their privileges to the ones of the hosting qemu process by corrupting qemu memory.
CVE-2014-2568: An information leak flaw was found in the way skb_zerocopy() copied skbs that are backed by userspace buffers (for example vhost-net and recent xen netback). Once the source skb is consumed, ubuf destructor is called and potentially releases the corresponding userspace buffers, which can then for example be repurposed, while the destination skb is still pointing to the them.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds