Full Disclosure mailing list archives

Re: How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface

From: Źmicier Januszkiewicz <gauri () tut by>
Date: Wed, 26 Jun 2013 09:09:52 +0200

Hi,

Tested this on Windows 7 x64 host instead (no Linux box available atm);
confirmed the issue (consumes CPU and kills the host network adapter).

Can someone assign a CVE for this? Looks like this can be exploited to at
least DoS other VMs on the same host.

2013/6/21 Thomas Dreibholz <dreibh () simula no>

Hi,

I have discovered a problem with the VirtualBox virtio-net network driver
that
leads to a lockup of the host machine's kernel and the need for a hard
reset
to make it working again. The bug had been reported to the VirtualBox bug
tracker 8 days ago (https://www.virtualbox.org/ticket/11863), with the
usual
reaction from Oracle support (i.e. none).

The bug can be reproduced easily as follows:

- The host system is a 64-bit Linux (tested with Ubuntu 12.04 LTS and
Kubuntu
13.04). Did not try 32 bit.

- VirtualBox is the latest version 4.2.12 (using Oracle's Ubuntu
repository).

- Create a new VM, use e.g. Kubuntu live CD image (32 or 64 bit, makes no
difference). No disk needed.

- Network adapter is: Bridged, Adapter Type: virtio-net.
Boot the system, ensure that network is working.

- tracepath 8.8.8.8
Now, the virtual machine locks up and the host machine's kernel seems to
have
at least one core blocked. The host machine's console output is "BUG: soft
lockup - CPU #2 stuck for 22s ...". Also, the network on the host machine
does
not work any more. For example, "ifconfig" just hangs.

- To recover the host machine, it needs a hard reset. "sudo reboot", etc.
will
not work, since the kernel seems to hang.

This bug is critical, since it makes the host machine's network unusable
(particularly, if the host system is at a remote location), and it is very
easy to trigger with just a simple, standard "tracepath" call inside a
virtual
machine. It is therefore trivial for a normal user in such a machine to
trigger a denial of service. I did no further investigation of the problem
yet, but if it is related to the path MTU discovery by tracepath, it might
be
possible to trigger it by a lot of other software as well.


Best regards,

Thomas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface Thomas Dreibholz (Jun 21)
- Re: How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface Valdis . Kletnieks (Jun 21)
  - TOTP and clock advancement Erik Kamerling (Jun 23)
- Re: How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface Źmicier Januszkiewicz (Jun 26)
  - Re: How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface Agostino Sarubbo (Jun 26)
- Re: How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface Nick Boyce (Jun 26)
  - Re: How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface Źmicier Januszkiewicz (Jun 26)