How to lock up the host machine by a guest using tracepath over virtio-net network interface
|Reported by:||Thomas Dreibholz||Owned by:|
|Keywords:||Denial of Service, Host DoS, kernel lock-up||Cc:||Simone Ferlin-Oliveira <ferlin@…>, Amund Kvalbein <amundk@…>|
|Guest type:||Linux||Host type:||Linux|
I have discovered a problem with virtio-net that leads to a lockup of the host machine's kernel and the need for a hard reset to make it working again. It can be reproduced easily as follows:
- The host system is a 64-bit Linux (tested with Ubuntu 12.04 LTS and Kubuntu 13.04). Did not try 32 bit.
- VirtualBox is the latest version 4.2.12 (using Oracle's Ubuntu repository).
- Create a new VM, use e.g. Kubuntu live CD image (32 or 64 bit, makes no difference). No disk needed.
- Network adapter is: Bridged, Adapter Type: virtio-net.
- Boot the system, ensure that network is working.
- tracepath 188.8.131.52
- Now, the virtual machine locks up and the host machine's kernel seems to have at least one core blocked. See the attached picture of the host machine's console output. The message is "BUG: soft lockup - CPU #2 stuck for 22s ...". Also, the network on the host machine does not work any more. For example, "ifconfig" just hangs.
- To recover the host machine, it needs a hard reset. "sudo reboot", etc. will not work, since the kernel seems to hang.
This bug is critical, since it makes the host machine's network unusable (particularly, if the host system is at a remote location), and it is very easy to trigger with just a simple, standard "tracepath" call inside a virtual machine. It is therefore trivial for a normal user in such a machine to trigger a denial of service. I did no further investigation of the problem yet, but if it is related to the path MTU discovery by tracepath, it might be possible to trigger it by a lot of other software as well.