Re: CVE-2021-47573: xen/blkfront: harden blkfront against event channel storms

Re: CVE-2021-47573: xen/blkfront: harden blkfront against event channel storms

[Juergen Gross]

[-- Attachment #1.1.1: Type: text/plain, Size: 596 bytes --]

On 19.06.24 16:54, Greg Kroah-Hartman wrote:
> Description
> ===========
> 
> In the Linux kernel, the following vulnerability has been resolved:
> 
> xen/blkfront: harden blkfront against event channel storms
> 
> The Xen blkfront driver is still vulnerable for an attack via excessive
> number of events sent by the backend. Fix that by using lateeoi event
> channels.
> 
> This is part of XSA-391
> 
> The Linux kernel CVE team has assigned CVE-2021-47573 to this issue.

When issuing XSA-391 the Xen security team already assigned CVE-2021-28711
to this issue.


Juergen

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3743 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: CVE-2021-47573: xen/blkfront: harden blkfront against event channel storms

[Greg Kroah-Hartman]

On Thu, Jun 20, 2024 at 09:53:02AM +0200, Juergen Gross wrote:
> On 19.06.24 16:54, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> > 
> > In the Linux kernel, the following vulnerability has been resolved:
> > 
> > xen/blkfront: harden blkfront against event channel storms
> > 
> > The Xen blkfront driver is still vulnerable for an attack via excessive
> > number of events sent by the backend. Fix that by using lateeoi event
> > channels.
> > 
> > This is part of XSA-391
> > 
> > The Linux kernel CVE team has assigned CVE-2021-47573 to this issue.
> 
> When issuing XSA-391 the Xen security team already assigned CVE-2021-28711
> to this issue.

Cool, but why was that not documented in the CVE entry itself?  I search
the existing CVE database when assigning CVEs for older things like this
(the import of the GSD database), and if there is no reference in the
CVE entry, then I have to assume that no CVE was assigned to the commit.

I'll go reject this one (and the other ones you pointed out), but can
you please update the CVE json entry with the information and ids of the
fixed commits so that everyone can correctly track these?

Also, the XSA-391 announcement doesn't say anything about them either,
is that intentional?

thanks,

greg k-h

Re: CVE-2021-47573: xen/blkfront: harden blkfront against event channel storms

[Jan Beulich]

On 20.06.2024 10:18, Greg Kroah-Hartman wrote:
> Also, the XSA-391 announcement doesn't say anything about them either,
> is that intentional?

If by announcement you mean the email sent out to xen-security-issues@lists.xen.org,
then the copy I'm looking at (v3, the only one having gone public afaict) clearly
lists the three CVEs.

Jan

Re: CVE-2021-47573: xen/blkfront: harden blkfront against event channel storms

[Greg Kroah-Hartman]

On Thu, Jun 20, 2024 at 10:46:10AM +0200, Jan Beulich wrote:
> On 20.06.2024 10:18, Greg Kroah-Hartman wrote:
> > Also, the XSA-391 announcement doesn't say anything about them either,
> > is that intentional?
> 
> If by announcement you mean the email sent out to xen-security-issues@lists.xen.org,
> then the copy I'm looking at (v3, the only one having gone public afaict) clearly
> lists the three CVEs.

I'm looking at:
	https://xenbits.xen.org/xsa/advisory-391.html
and I don't see a git id anywhere, where do you see the v3 announcement
saying that?

Also, the json file at:
	https://www.cve.org/CVERecord?id=CVE-2021-28711
points to:
	https://xenbits.xenproject.org/xsa/advisory-391.txt
Not to the html document, which is correct?

But to be fair, I'm not going to be able to search all links in all json
files for all entries, so even if the 391 announcement did show the git
ids for the changes, I would miss it.  All I can do is search the json
repo for all CVEs.

thanks,

greg k-h

Re: CVE-2021-47573: xen/blkfront: harden blkfront against event channel storms

[Jan Beulich]

On 20.06.2024 11:20, Greg Kroah-Hartman wrote:
> On Thu, Jun 20, 2024 at 10:46:10AM +0200, Jan Beulich wrote:
>> On 20.06.2024 10:18, Greg Kroah-Hartman wrote:
>>> Also, the XSA-391 announcement doesn't say anything about them either,
>>> is that intentional?
>>
>> If by announcement you mean the email sent out to xen-security-issues@lists.xen.org,
>> then the copy I'm looking at (v3, the only one having gone public afaict) clearly
>> lists the three CVEs.
> 
> I'm looking at:
> 	https://xenbits.xen.org/xsa/advisory-391.html
> and I don't see a git id anywhere, where do you see the v3 announcement
> saying that?

Hmm, okay, I then misunderstood your earlier reply: I was assuming you
were looking for the CVE numbers associated with the XSA, as I thought
that's what you need to know when deciding whether to issue one
yourself. No, we didn't ever mention commit IDs anywhere, except when
issuing XSAs after-the-fact (i.e. changes already having gone in earlier
on). I guess we need to see whether that's feasible to do for Linux XSAs
going forward. Yet then it may not be needed there, as we'd now ask you
for CVE numbers in such cases anyway?

Jan

> Also, the json file at:
> 	https://www.cve.org/CVERecord?id=CVE-2021-28711
> points to:
> 	https://xenbits.xenproject.org/xsa/advisory-391.txt
> Not to the html document, which is correct?
> 
> But to be fair, I'm not going to be able to search all links in all json
> files for all entries, so even if the 391 announcement did show the git
> ids for the changes, I would miss it.  All I can do is search the json
> repo for all CVEs.
> 
> thanks,
> 
> greg k-h

Re: CVE-2021-47573: xen/blkfront: harden blkfront against event channel storms

[Greg Kroah-Hartman]

On Thu, Jun 20, 2024 at 11:32:49AM +0200, Jan Beulich wrote:
> On 20.06.2024 11:20, Greg Kroah-Hartman wrote:
> > On Thu, Jun 20, 2024 at 10:46:10AM +0200, Jan Beulich wrote:
> >> On 20.06.2024 10:18, Greg Kroah-Hartman wrote:
> >>> Also, the XSA-391 announcement doesn't say anything about them either,
> >>> is that intentional?
> >>
> >> If by announcement you mean the email sent out to xen-security-issues@lists.xen.org,
> >> then the copy I'm looking at (v3, the only one having gone public afaict) clearly
> >> lists the three CVEs.
> > 
> > I'm looking at:
> > 	https://xenbits.xen.org/xsa/advisory-391.html
> > and I don't see a git id anywhere, where do you see the v3 announcement
> > saying that?
> 
> Hmm, okay, I then misunderstood your earlier reply: I was assuming you
> were looking for the CVE numbers associated with the XSA, as I thought
> that's what you need to know when deciding whether to issue one
> yourself. No, we didn't ever mention commit IDs anywhere, except when
> issuing XSAs after-the-fact (i.e. changes already having gone in earlier
> on). I guess we need to see whether that's feasible to do for Linux XSAs
> going forward. Yet then it may not be needed there, as we'd now ask you
> for CVE numbers in such cases anyway?

Yes, going forward it's not going to matter, I was just trying to verify
that when I assign ids for older stuff like this that I'm not messing up
in an obvious way :)

thanks,

greg k-h