Bug 500945 (CVE-2009-1758)

Summary: CVE-2009-1758 kernel: xen: local denial of service
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: clalance, dhoward, dwu, jlieskov, jpirko, jskrabal, lwang, pbonzini, sct, vgoyal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: reported=20090515,public=20090513,impact=moderate,source=osssecurity,cvss2=4.9/AV:L/AC:L/Au:N/C:N/I:N/A:C
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-06 04:06:13 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 500948, 500949, 500950, 500951, 523641    
Bug Blocks:    

Description Eugene Teo (Security Response) 2009-05-15 00:05:13 EDT
Description of problem:
The missing check of the interrupted code's code selector in hypervisor_callback() allowed a user mode application to oops (and perhaps crash) the kernel.

Further adjustments:
- the 'main' critical region does not include the jmp following the
  disabling of interrupts
- the sysexit_[se]crit range checks got broken at some point - the
  sysexit ciritcal region is always at higher addresses than the 'main'
  one, yielding the check pointless (but consuming execution time);
  since the supervisor mode kernel isn't actively used afaict, I moved
  that code into an #ifdef using a hypothetical config option
- the use of a numeric label across more than 300 lines of code always
  seemed pretty fragile to me, so the patch replaces this with a local
  named label
- streamlined the critical_region_fixup code to eliminate a branch

http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html
Comment 1 Eugene Teo (Security Response) 2009-05-15 00:07:14 EDT
A user mode application running in a x86 32bit Xen Guest could Ooops (denial of service) of the guest by causing a segfault in certain address ranges.

(Just jumping to an address between "ecrit" and "scrit" symbols is sufficient.)

This is not a mainline Linux kernel issue, the bug is in the XEN patchset against the Linux kernel.

http://article.gmane.org/gmane.comp.security.oss.general/1757
Comment 8 Eugene Teo (Security Response) 2009-05-15 03:43:12 EDT
Upstream commit:
http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/9b9454800544
Comment 16 Jan Lieskovsky 2009-05-22 07:13:03 EDT
CVE-2009-1578:

The hypervisor_callback function in Xen, possibly before 3.4.0, as
applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other
versions allows guest user applications to cause a denial of service
(kernel oops) of the guest OS by triggering a segmentation fault in
"certain address ranges." 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1758
http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html
http://www.openwall.com/lists/oss-security/2009/05/14/2
Comment 19 errata-xmlrpc 2009-06-16 18:34:30 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1106 https://rhn.redhat.com/errata/RHSA-2009-1106.html
Comment 20 errata-xmlrpc 2009-06-30 04:06:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1132 https://rhn.redhat.com/errata/RHSA-2009-1132.html