Bug 377561 (CVE-2007-5907)

Summary: CVE-2007-5907 kernel-xen 3.1.1 does not prevent modification of the CR4 TSC from applications (DoS possible)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Chris Lalancette <clalance>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bburns, clalance, dhoward, jpirko, kernel-maint, kreilly, lwang, security-response-team, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-25 10:24:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 378471, 378481, 390091, 390101, 390111, 390121    
Bug Blocks: 470954    
Attachments:
Description Flags
Patch to allow guest kernels to trap CR4 access none

Description Jan Lieskovsky 2007-11-12 11:21:09 UTC
Description of problem:

Xen 3.1.1 does not prevent modification of the CR4 TSC from
applications, which allows pv guests to cause a denial of service
(crash). (CVE-2007-5907).

Comment 3 Jan Lieskovsky 2007-11-16 14:59:27 UTC
The official post is here -- there is also patch provided: 
 
http://lists.xensource.com/archives/html/xen-devel/2007-10/msg00932.html 

Comment 11 Chris Lalancette 2008-09-12 14:13:05 UTC
Created attachment 316578 [details]
Patch to allow guest kernels to trap CR4 access

This is the current patch I've been testing for this issue.  It's pretty close to xen-unstable c/s 16259 + 16333, but has the following modifications:

1)  irq_masked() is called in a few different places in the 3.1 codebase, so fix up all of the callers of it.
2)  Remove all calls to pge_off and pge_on.  Upstream went with a re-written flushing mechanism before this c/s went in, so just make sure to follow the pge_off/pge_on discipline that was there.

Chris Lalancette

Comment 12 Chris Lalancette 2008-09-16 09:46:59 UTC
Comment on attachment 316578 [details]
Patch to allow guest kernels to trap CR4 access

Since this is the master tracking bug, this patch doesn't belong here.  Obsoleting.