Bug 369531 (CVE-2007-5498)

Summary: CVE-2007-5498 missing sanity check in xen block backend driver
Product: [Other] Security Response Reporter: Gerd Hoffmann <kraxel>
Component: vulnerabilityAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anton, bburns, berrange, clalance, dhoward, kreilly, lwang, osoukup, sct, security-response-team, wezhang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-10 16:25:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 378281, 378291    
Bug Blocks:    
Attachments:
Description Flags
suggested patch (against upstream mercurial repository).
none
patch version for rhe5.1 kernel none

Description Gerd Hoffmann 2007-11-07 12:17:24 UTC 
Description of problem:
The blkif_get_x86_32_req() and blkif_get_x86_64_req() functions don't
sanity-check the req->nr_segments value.

The functions are part of the 32-on-64 support.  They translate block I/O
request structs from 32bit ABI to 64bit ABI and visa versa.  They are used in
case 32bit paravirtualized guests (or 32bit hvm guests with pv-on-hvm drivers
installed) are running on a 64bit host.

Version-Release number of selected component (if applicable):
RHEL 5.1 kernel.
Comment 1 Gerd Hoffmann 2007-11-07 12:17:24 UTC 
Created attachment 250031 [details]
suggested patch (against upstream mercurial repository).
Comment 2 Gerd Hoffmann 2007-11-07 16:09:07 UTC 
Created attachment 250281 [details]
patch version for rhe5.1 kernel
Comment 3 Gerd Hoffmann 2007-11-07 16:11:14 UTC 
Hmm, /me can't ask for rhel‑5.1.z ack ...
Comment 8 Jan Lieskovsky 2008-04-22 07:23:11 UTC 
Attaching link to upstream commit yet:

http://xenbits.xensource.com/linux-2.6.18-xen.hg?diff/cf8b6cafa2f0/include/xen/blkif.h
Comment 9 Chris Lalancette 2009-09-10 16:24:58 UTC 
This patch was committed long ago; closing out this tracker bug.

Chris Lalancette