Bug 728042 (CVE-2011-2901)

Summary: CVE-2011-2901 kernel: xen: off-by-one shift in x86_64 __addr_ok()
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anton, dhoward, drjones, imammedo, kernel-mgr, leiwang, lersek, lwang, pbonzini, plougher, pmatouse, security-response-team, sforsber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-10 08:16:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 719850, 728043, 753009, 798934    
Bug Blocks: 728040    
Attachments:
Description Flags
upstream patch none

Description Eugene Teo (Security Response) 2011-08-04 01:35:24 UTC 
The x86_64 __addr_ok() macro intends to ensure that the checked address is either in the positive half of the 48-bit virtual address space, or above the Xen-reserved area. However, the current shift count is off-by-one, allowing full access to the "negative half" too, via certain hypercalls which ignore virtual-address bits [63:48]. 

As a result, a malicious guest administrator on a vulnerable system is able to crash the host.

There are no known further exploits but these have not been ruled out.
Comment 2 Petr Matousek 2011-08-11 14:32:21 UTC 
Statement:

The versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6,
and Red Hat Enterprise MRG are not affected. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-1212.html.
Comment 5 Vincent Danen 2011-09-02 21:13:28 UTC 
Created attachment 521288 [details]
upstream patch

From the upstream advisory:  http://www.openwall.com/lists/oss-security/2011/09/02/2
Comment 6 errata-xmlrpc 2011-09-13 15:44:20 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1212 https://rhn.redhat.com/errata/RHSA-2011-1212.html
Comment 8 errata-xmlrpc 2011-12-13 21:29:25 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6.Z - Server Only

Via RHSA-2011:1813 https://rhn.redhat.com/errata/RHSA-2011-1813.html
Comment 9 Petr Matousek 2012-03-01 10:29:25 UTC 
Created xen tracking bugs for this issue

Affects: fedora-all [bug 798934]