Bug 813908 (CVE-2012-0218)

Summary: CVE-2012-0218 kernel: xen: guest denial of service on syscall/sysenter exception generation
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, anton, dhoward, drjones, imammedo, jlieskov, lersek, lwang, mjc, mrezanin, pbonzini, plougher, security-response-team, sforsber, tburke, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-23 12:26:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 813909, 813910    
Bug Blocks: 813442    

Description Petr Matousek 2012-04-18 18:14:44 UTC 
When guest user code running inside a Xen guest operating system attempts to execute a syscall or sysenter instruction, but when the guest operating system has not registered a handler for that instruction, a General Protection Fault may need to be injected into the guest.

It has been discovered that the code in Xen which does this fails to clear a flag requesting exception injection, with the result that a future exception taken by the guest and handled entirely inside Xen will also be injected into the guest despite Xen having handled it already, probably crashing the guest.

An unprivileged local user on 32-bit or 64-bit PV guest could potentially use this flaw to crash the guest.

Upstream fixes:
http://xenbits.xensource.com/hg/staging/xen-unstable.hg/rev/80f4113be500
http://xenbits.xensource.com/hg/staging/xen-unstable.hg/rev/569d6f05e1ef

Acknowledgements:

Red Hat would like to thank the Xen for reporting this issue.
Comment 4 Petr Matousek 2012-04-23 12:25:58 UTC 
Statement:

Not vulnerable.

This issue did not affect the versions of the kernel-xen package as shipped with Red Hat Enterprise Linux 5 as we did not have support for sysenter and compat (32bit) version of syscall instructions for PV guests running on the Xen hypervisor (introduced in upstream changeset 16207:aeebd173c3fa).

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as we did not have support for Xen hypervisor.
Comment 7 Mark J. Cox 2012-05-15 14:47:22 UTC 
CERT contacted us and moved the embargo to 12th June 2012
Comment 8 Jan Lieskovsky 2012-06-12 12:09:16 UTC 
Public via:
http://www.openwall.com/lists/oss-security/2012/06/12/2