[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NULL scheduler DoS

CC’ing julien@xxxxxxx


From: "Ahmed, Daniele" <ahmeddan@xxxxxxxxxxxx>
Date: Monday, 9 August 2021 at 17:19
To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Cc: Dario Faggioli <dfaggioli@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "Grall, Julien" <jgrall@xxxxxxxxxxxx>, "Doebel, Bjoern" <doebel@xxxxxxxxx>, "Pohlack, Martin" <mpohlack@xxxxxxxxx>
Subject: NULL scheduler DoS


Hi all,

The NULL scheduler is affected by an issue that triggers an assertion and reboots the hypervisor.


This issue arise when:

  • a guest is being created with a configuration specifying a file that does not exist
  • the hypervisor boots with the null scheduler

4.16 is affected and 4.15 also.


This is the stack trace from 4.16:


(XEN) Assertion 'npc->unit == unit' failed at null.c:377
(XEN) ----[ Xen-4.16-unstable x86_64 debug=y Not tainted ]----
(XEN) CPU: 3
(XEN) RIP: e008:[<ffff82d04024f577>] common/sched/null.c#unit_deassign+0x1c3/0x2ec
(XEN) RFLAGS: 0000000000010006 CONTEXT: hypervisor
(XEN) rax: ffff83005ce1c850 rbx: 0000000000000001 rcx: 0000000000000001
(XEN) rdx: ffff83007fde6fc0 rsi: ffff83005ce1c790 rdi: ffff83007ffb7850
(XEN) rbp: ffff83007ffdfda0 rsp: ffff83007ffdfd48 r8: 0000000000000000
(XEN) r9: 0000000000048fee r10: 0000000000000000 r11: 0000000000000000
(XEN) r12: ffff82d0405c9298 r13: ffff83007f7fd508 r14: ffff83005ce1c850
(XEN) r15: ffff82d0405e2680 cr0: 000000008005003b cr4: 00000000003526e0
(XEN) cr3: 000000007f6b3000 cr2: ffff888072e79dc0
(XEN) fsb: 0000000000000000 gsb: ffff888071ac0000 gss: 0000000000000000
(XEN) ds: 002b es: 002b fs: 0000 gs: 0000 ss: e010 cs: e008
(XEN) Xen code around <ffff82d04024f577> (common/sched/null.c#unit_deassign+0x1c3/0x2ec):
(XEN) 41 5e 41 5f 5d c3 0f 0b <0f> 0b 0f 0b 0f 0b 0f 0b 49 8b 04 24 0f b7 00 66
(XEN) Xen stack trace from rsp=ffff83007ffdfd48:
(XEN) ffff83007ffdfd88 ffff82d04023961c 0000000400000000 ffff83005ce1cc50
(XEN) 0000000000000002 ffff83007ffdfd90 ffff83005ce1c790 ffff82d0405c9298
(XEN) ffff83007f7fd508 ffff83005ce1c850 ffff82d0405e2680 ffff83007ffdfde0
(XEN) ffff82d04024f889 ffff83007ffb7850 ffff83005dd63000 ffff83005ce1c790
(XEN) ffff83005845ab28 ffff83005845a000 0000000000000000 ffff83007ffdfe00
(XEN) ffff82d040253326 ffff83005dd63000 0000000000000000 ffff83007ffdfe38
(XEN) ffff82d04020506b ffff83007a881080 0000000000000000 0000000000000000
(XEN) 0000000000000000 ffff82d0405d6f80 ffff83007ffdfe70 ffff82d04022d9e5
(XEN) 0000001100000003 ffff82d0405cf100 ffff82d0405cf100 ffffffffffffffff
(XEN) ffff82d0405cef80 ffff83007ffdfea8 ffff82d04022e14b 0000000000000003
(XEN) ffff82d0405cf100 0000000000007fff 0000000000000003 0000000000000003
(XEN) ffff83007ffdfeb8 ffff82d04022e1e6 ffff83007ffdfef0 ffff82d0403172b4
(XEN) ffff82d04031721d ffff83007fec1000 ffff83007ffb6000 0000000000000003
(XEN) ffff83007ffcc000 ffff83007ffdfe18 0000000000000000 0000000000000000
(XEN) 0000000000000000 0000000000000000 0000000000000003 0000000000000003
(XEN) 0000000000000246 0000000000000003 0000000000000000 000000001bf9dde5
(XEN) 0000000000000000 ffffffff810023aa 0000000000000003 deadbeefdeadf00d
(XEN) deadbeefdeadf00d 0000010000000000 ffffffff810023aa 000000000000e033
(XEN) 0000000000000246 ffffc900400a3ea8 000000000000e02b 7ffdff707fffd140
(XEN) 000000017fe37a6c 000000007ffe8010 0000000000000000 0000e01000000003
(XEN) Xen call trace:
(XEN) [<ffff82d04024f577>] R common/sched/null.c#unit_deassign+0x1c3/0x2ec
(XEN) [<ffff82d04024f889>] F common/sched/null.c#null_unit_remove+0xfc/0x136
(XEN) [<ffff82d040253326>] F sched_destroy_vcpu+0xca/0x199
(XEN) [<ffff82d04020506b>] F common/domain.c#complete_domain_destroy+0x68/0x13f
(XEN) [<ffff82d04022d9e5>] F common/rcupdate.c#rcu_process_callbacks+0xdb/0x24b
(XEN) [<ffff82d04022e14b>] F common/softirq.c#__do_softirq+0x8a/0xbc
(XEN) [<ffff82d04022e1e6>] F do_softirq+0x13/0x15
(XEN) [<ffff82d0403172b4>] F arch/x86/domain.c#idle_loop+0x97/0xee
(XEN) ****************************************
(XEN) Panic on CPU 3:
(XEN) Assertion 'npc->unit == unit' failed at null.c:377
(XEN) ****************************************
(XEN) Reboot in five seconds...


This is the line of the assertion that triggers the reboot: https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/common/sched/null.c;h=82d5d1baab853d24fcbb455fb3f3e8263c871277;hb=HEAD#l377


To reproduce the vulnerability, I took the following steps:

  • Install XEN; only 4.15+ seem to be vulnerable
  • Use the null scheduler (depends on your setup): edit /etc/default/grub adding at the end of the file: GRUB_CMDLINE_XEN="sched=null" and update grub
  • Reboot into xen
  • Create a file guest.cfg with the following contents


serial = [ 'file:/tmp/log', 'pty' ]

disk = [ '/home/user/boot.iso,,hdc,cdrom' ]

_on_reboot_ = "destroy"


Make sure that the file /home/user/boot.iso does not exist

  • Create a guest with this configuration: xl create -c guest.cfg

CC’ing Dario, Stefano and Julien to whom I’ve shown this.







Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.