Bug 530515 (CVE-2009-3638)

Summary: CVE-2009-3638 kernel: kvm: integer overflow in kvm_dev_ioctl_get_supported_cpuid()
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cebbert, davej, kyle, lwang, rcvalle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=lkml,reported=20091023,public=20091004,cvss2=7.2/AV:L/AC:L/Au:N/C:C/I:C/A:C,cwe=CWE-190->CWE-119
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-26 03:16:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Eugene Teo (Security Response) 2009-10-23 09:00:41 UTC
Quote from the upstream commit:
"The number of entries is multiplied by the entry size, which can overflow on 32-bit hosts.  Bound the entry count instead."

 	if (cpuid->nent < 1)
 		goto out;
+	if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
+		cpuid->nent = KVM_MAX_CPUID_ENTRIES;
 	r = -ENOMEM;
 	cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent);
 	if (!cpuid_entries)

This one can be triggered if /dev/kvm is user accessible (which is recommended...). This was introduced in v2.6.25-rc1, and fixed in v2.6.32-rc4. Only affects 32-bit machines.

References:
http://git.kernel.org/linus/0771671749b59a507b6da4efb931c44d9691e248
http://git.kernel.org/linus/6a54435560efdab1a08f429a954df4d6c740bddf

Comment 1 Chuck Ebbert 2009-10-23 13:27:28 UTC
Also fixed in 2.6.31.4

Comment 2 Eugene Teo (Security Response) 2009-10-26 03:16:05 UTC
(In reply to comment #0)
[...]
> This one can be triggered if /dev/kvm is user accessible (which is
> recommended...). This was introduced in v2.6.25-rc1, and fixed in v2.6.32-rc4.
> Only affects 32-bit machines.

Since this affects 32-bit machines, and we only support x86_64 KVM hosts on Red Hat Enterprise Linux 5, this bug will be closed as NOTABUG.

Comment 3 Fedora Update System 2009-11-05 05:05:43 UTC
kernel-2.6.30.9-96.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.30.9-96.fc11

Comment 4 Fedora Update System 2009-11-05 05:14:38 UTC
kernel-2.6.27.38-170.2.113.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.38-170.2.113.fc10

Comment 5 Fedora Update System 2009-11-06 00:02:56 UTC
kernel-2.6.30.9-96.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2009-11-06 00:04:51 UTC
kernel-2.6.27.38-170.2.113.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.