lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 21 Jun 2013 16:33:35 +0200
From: Thomas Dreibholz <dreibh@...ula.no>
To: Full-Disclosure@...ts.grok.org.uk
Subject: How to lock up a VirtualBox host machine with a
	guest using tracepath over virtio-net network interface

Hi, 

I have discovered a problem with the VirtualBox virtio-net network driver that 
leads to a lockup of the host machine's kernel and the need for a hard reset 
to make it working again. The bug had been reported to the VirtualBox bug 
tracker 8 days ago (https://www.virtualbox.org/ticket/11863), with the usual 
reaction from Oracle support (i.e. none).

The bug can be reproduced easily as follows: 

- The host system is a 64-bit Linux (tested with Ubuntu 12.04 LTS and Kubuntu 
13.04). Did not try 32 bit.

- VirtualBox is the latest version 4.2.12 (using Oracle's Ubuntu repository). 

- Create a new VM, use e.g. Kubuntu live CD image (32 or 64 bit, makes no 
difference). No disk needed.

- Network adapter is: Bridged, Adapter Type: virtio-net.
Boot the system, ensure that network is working.

- tracepath 8.8.8.8 
Now, the virtual machine locks up and the host machine's kernel seems to have 
at least one core blocked. The host machine's console output is "BUG: soft 
lockup - CPU #2 stuck for 22s ...". Also, the network on the host machine does 
not work any more. For example, "ifconfig" just hangs. 

- To recover the host machine, it needs a hard reset. "sudo reboot", etc. will 
not work, since the kernel seems to hang. 

This bug is critical, since it makes the host machine's network unusable 
(particularly, if the host system is at a remote location), and it is very 
easy to trigger with just a simple, standard "tracepath" call inside a virtual 
machine. It is therefore trivial for a normal user in such a machine to 
trigger a denial of service. I did no further investigation of the problem 
yet, but if it is related to the path MTU discovery by tracepath, it might be 
possible to trigger it by a lot of other software as well. 


Best regards, 

Thomas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ