Use after free triggered by block frontend in Linux blkback

ISSUE DESCRIPTION

The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggle between the states connect and disconnect.
As a consequence, the block backend may re-use a pointer after it was freed.

IMPACT

A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privileged escalation and information leak cannot be ruled out.

VULNERABLE SYSTEMS

Systems using Linux blkback are vulnerable. This includes most systems with a Linux dom0, or Linux driver domains.
Linux versions containing a24fa22ce22a (“xen/blkback: don’t use xen_blkif_get() in xen-blkback kthread”), or its backports, are vulnerable. This includes all current linux-stable branches back to at least linux-stable/linux-4.4.y.
When the Xen PV block backend is provided by userspace (eg qemu), that backend is not vulnerable. So configurations where the xl.cfg domain configuration file specifies all disks with backendtype=“qdisk” are not vulnerable.
The Linux blkback only supports raw format images, so when all disks have a format than format=“raw”, the system is not vulnerable.