Bug 702657 (CVE-2011-1780)

Summary: CVE-2011-1780 kernel: xen: svm: insufficiencies in handling emulated instructions during vm exits
Product: [Other] Security Response Reporter: Huang Wenlong <whuang>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cshao, cwei, ddutile, dhoward, drjones, jrieden, leiwang, lersek, lwang, mshao, pbonzini, plougher, pmatouse, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-15 16:49:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 703715, 703716    
Bug Blocks: 718617    
Attachments:
Description Flags
check inst_len and return on zero none

Description Huang Wenlong 2011-05-06 13:52:31 UTC 
A bug was found in the way Xen handles instruction emulation during VM exits. Malicious guest user space process running in SMP guest can trick the emulator into reading different instruction than the one that caused the VM exit. To do so it should run legitimate instruction that causes VM exit in one thread and replace this instruction to another one from second thread. An unprivileged guest user can potentially use this flaw to crash the host. 

-------------------------------------------------------------

Original name:
xen: svvp Disable Enable With IO will reboot the host which CPU is AMD

Description of problem:
svvp Disable Enable With IO will reboot the host 

svvp "Disable Enable with IO"'s child job "Driver Verifier -Enable"'s child job "Reboot System Under Test" should only reboot the guest , but when the guest prepare to enter the desktop after reboot , the host (SUT) will reboot .


Version-Release number of selected component (if applicable):
xen-3.0.3-129.el5
kernel-xen-2.6.18-257.el5
xenpv-win-1.3.4-9.el5

How reproducible:
100%


Steps to Reproduce:
1. run the Disable Enable With IO
2.
3.
  
Actual results:
host will reboot

Expected results:
host should not reboot 

Additional info:
Sometimes the guest even do not run the disable and enable jobs ,the host will reboot when I reboot the guest which run the disable and enable job once.
Comment 27 Petr Matousek 2011-05-12 15:05:32 UTC 
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6, and Red Hat Enterprise MRG. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-1065.html.

Also, only systems running on x86 architecture with AMD processor and SVM virtualization extension enabled are affected.
Comment 40 errata-xmlrpc 2011-07-21 09:21:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1065 https://rhn.redhat.com/errata/RHSA-2011-1065.html
Comment 41 errata-xmlrpc 2011-07-21 11:45:31 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1065 https://rhn.redhat.com/errata/RHSA-2011-1065.html
Comment 42 errata-xmlrpc 2011-08-16 18:34:15 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6.Z - Server Only

Via RHSA-2011:1163 https://rhn.redhat.com/errata/RHSA-2011-1163.html