CVE-2020-16843: Firecracker v0.20.0, v0.21.0 and v0.21.1 network stack can freeze under heavy ingress traffic

[ioanachirca]

We have identified an issue in the Firecracker v0.20.0, v0.21.0 and v0.21.1 virtio-net emulation.

Issue Description

Under heavy network ingress traffic, when the host TAP interface's receive queue is not drained and the guest virtio-net device's receive queue is full, the microVM network interface ingress can freeze. There is no possibility to recover from this state, resulting in a denial of service on the microVM when it is configured with a single network interface, and causing an availability problem for the microVM network interface on which the issue is triggered.

This issue is difficult to reproduce with TCP traffic. The TCP congestion algorithm makes it harder to fill both the TAP interface and virtio receive queues.

Impact

When this issue is triggered, the guest kernel network interface will no longer receive packets.

Vulnerable Systems

Firecracker releases v0.20.0, v0.21.0 and v0.21.1 are affected.

Mitigation

Patched binaries mitigating this issue have been released as Firecracker v0.20.1[1] and Firecracker v0.21.2[2].
If you are using Firecracker v0.20.0, v0.21.0 or v0.21.1, we recommend you apply the provided fix. If you are using Firecracker v0.19.1 or below, you do not need to take any action.

[1] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.20.1
[2] https://github.com/firecracker-microvm/firecracker/releases/tag/v0.21.2