Bug 369531 (CVE-2007-5498) - CVE-2007-5498 missing sanity check in xen block backend driver
Summary: CVE-2007-5498 missing sanity check in xen block backend driver
Status: CLOSED CURRENTRELEASE
Alias: CVE-2007-5498
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
Assignee: Gerd Hoffmann
QA Contact: Martin Jenner
URL:
Whiteboard: impact=important,source=bz,reported=2...
Keywords: Security
Depends On: 378281 378291
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-07 12:17 UTC by Gerd Hoffmann
Modified: 2009-09-10 16:25 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 16:25:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
suggested patch (against upstream mercurial repository). (1.18 KB, patch)
2007-11-07 12:17 UTC, Gerd Hoffmann
no flags Details | Diff
patch version for rhe5.1 kernel (1.23 KB, patch)
2007-11-07 16:09 UTC, Gerd Hoffmann
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0233 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-05-07 07:47:37 UTC

Description Gerd Hoffmann 2007-11-07 12:17:24 UTC
Description of problem:
The blkif_get_x86_32_req() and blkif_get_x86_64_req() functions don't
sanity-check the req->nr_segments value.

The functions are part of the 32-on-64 support.  They translate block I/O
request structs from 32bit ABI to 64bit ABI and visa versa.  They are used in
case 32bit paravirtualized guests (or 32bit hvm guests with pv-on-hvm drivers
installed) are running on a 64bit host.

Version-Release number of selected component (if applicable):
RHEL 5.1 kernel.

Comment 1 Gerd Hoffmann 2007-11-07 12:17:24 UTC
Created attachment 250031 [details]
suggested patch (against upstream mercurial repository).

Comment 2 Gerd Hoffmann 2007-11-07 16:09:07 UTC
Created attachment 250281 [details]
patch version for rhe5.1 kernel

Comment 3 Gerd Hoffmann 2007-11-07 16:11:14 UTC
Hmm, /me can't ask for rhel‑5.1.z ack ...

Comment 8 Jan Lieskovsky 2008-04-22 07:23:11 UTC
Attaching link to upstream commit yet:

http://xenbits.xensource.com/linux-2.6.18-xen.hg?diff/cf8b6cafa2f0/include/xen/blkif.h

Comment 9 Chris Lalancette 2009-09-10 16:24:58 UTC
This patch was committed long ago; closing out this tracker bug.

Chris Lalancette


Note You need to log in before you can comment on or make changes to this bug.