Bug 658155 (CVE-2010-4255)

Summary: CVE-2010-4255 xen: 64-bit PV xen guest can crash host by accessing hypervisor per-domain memory area
Product: [Other] Security Response Reporter: Paolo Bonzini <pbonzini>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: drjones, eteo, herrold, iannis, pmatouse
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-06 08:04:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 658353, 658354    
Bug Blocks:    

Comment 1 Adrien Kunysz 2010-11-29 15:38:58 UTC 
The bug description and patch in upstream xen-devel mailing list: http://lists.xensource.com/archives/html/xen-devel/2010-11/msg01650.html
Comment 2 Eugene Teo (Security Response) 2010-11-30 05:00:52 UTC 
handle_gdt_ldt_mapping_fault() is intended to deal with indirect accesses (i.e. those caused by descriptor loads) to the GDT/LDT mapping area only. While for 32-bit segment limits indeed prevent the function being entered for direct accesses (i.e. a #GP fault will be raised even before the address translation gets done, on 64-bit even user mode accesses would lead to control reaching the BUG_ON() at the beginning of that function.

Fortunately the fix is simple: Since the guest kernel runs in ring 3, any guest direct access will have the "user mode" bit set, whereas descriptor loads always do the translations to access the actual descriptors as kernel mode ones.
Comment 5 errata-xmlrpc 2011-01-13 22:02:41 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html
Comment 6 errata-xmlrpc 2011-01-14 09:03:34 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html