An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback.
2020-12-15T17:15:14.707
2024-11-21T05:24:13.443
Modified
CVSSv3.1: 8.8 (HIGH)
AV:L/AC:L/Au:N/C:C/I:C/A:C
3.9
10.0
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | xen | xen | ≤ 4.14.1 | Yes |
| Operating System | linux | linux_kernel | < 4.2 | Yes |
| Operating System | linux | linux_kernel | < 4.4.254 | Yes |
| Operating System | linux | linux_kernel | < 4.9.249 | Yes |
| Operating System | linux | linux_kernel | < 4.12 | Yes |
| Operating System | linux | linux_kernel | < 4.14.213 | Yes |
| Operating System | linux | linux_kernel | < 4.19.164 | Yes |
| Operating System | linux | linux_kernel | < 5.4.86 | Yes |
| Operating System | linux | linux_kernel | < 5.10.4 | Yes |
| Operating System | netapp | hci_compute_node_bios | - | Yes |
| Hardware | netapp | hci_compute_node | - | No |
| Application | netapp | solidfire_\&_hci_management_node | - | Yes |
| Application | netapp | solidfire_\&_hci_storage_node | - | Yes |
| Operating System | debian | debian_linux | 9.0 | Yes |
| Operating System | debian | debian_linux | 10.0 | Yes |