Bug 406881 - (CVE-2007-6207) CVE-2007-6207 [5.2][XEN] Security: some HVM domain can access another domain memory.
CVE-2007-6207 [5.2][XEN] Security: some HVM domain can access another domain ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
ia64 Linux
urgent Severity high
: ---
: ---
Assigned To: Jarod Wilson
Martin Jenner
impact=important,public=20071122,repo...
: Security
Depends On: 408701 408711
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-30 14:43 EST by Issue Tracker
Modified: 2015-02-16 10:42 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-25 06:21:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
back-port of relevant upstream changesets (5.09 KB, patch)
2007-12-14 10:35 EST, Jarod Wilson
no flags Details | Diff

  None (edit)
Description Issue Tracker 2007-11-30 14:43:55 EST
Escalated to Bugzilla from IssueTracker
Comment 1 Issue Tracker 2007-11-30 14:43:56 EST
RHN System ID:

Customer Contact Name:
  Atsushi SAKAI

Summary:
[Xen][5.2] Security: some HVM domain can access another domain memory.

Version-Release number of selected component.
Red Hat Enterprise Linux Version Number: 5.1RC
Release Number: none
Architecture: IA64
Kernel Version: 2.6.18
Related Package Version: none
Related Middleware/Application: none

Drivers or hardware or archtecture dependency:
“None. This bug is generated regardless of driver.”
“None. This bug is generated regardless of hardware.”
IA64

Description of Problem:
 some HVM domain can access another domain memory.
Tristan Gingold wrote:
  This is a security hole as it allowed a VTi domain to read memory of any other domain.
  http://lists.xensource.com/archives/html/xen-ia64-devel/2007-10/msg00189.html


How reproducible:
 Always

Step to Reproduce:
 some security fault application get root privilege on guest OS(HVM).
 and executes memory access in kernel mode.

Actual Results:
 Can access another domain memory.
 
Expected Results:
 Cannot access another domain memory

Summary of actions taken to resolve issue:
  none

Location of diagnostic data:
  none

Hardware configuration:
Model: PRIMEQUEST
CPU Info: Itanium 2
Memory Info: 32GB
Hardware Component Information: none
Configuration Info: none

Business Impact:
 Security fault.

Fix Target: 5.2
errata Request: None
Hotfix Request: None


Additional Info:
16210: [IA64] Define IA64_DOMAIN_RID_BITS_OFFSET.
  http://xenbits.xensource.com/xen-unstable.hg?rev/71fcc70ea78b
  16212: [IA64] Check range of r2 for mov rr[r3]=r2
  http://xenbits.xensource.com/xen-unstable.hg?rev/359484cee7d9


This event sent from IssueTracker by csnook  [Support Engineering Group]
 issue 138409
Comment 2 Issue Tracker 2007-11-30 14:43:58 EST
Hi Sakai-san,

I'll escalate this issue as a security issue.
On ahead, please let me confirm one point.

  - Did you confirm this issue on RHEL5?

If you confirmed it, we need the sysreport. Even if you didn't confirm,
I'll escalate this to Engineering to have them review this.

Regards,

## Please set the version of RHEL having the problem to 
## the form "version" on IT tickets.
## I'll change into 5.1.

Internal Status set to 'Waiting on Customer'
Status set to: Waiting on Client
Priority set to: 1
Version changed from '5.2' to '5.1'

This event sent from IssueTracker by csnook  [Support Engineering Group]
 issue 138409
Comment 3 Issue Tracker 2007-11-30 14:43:59 EST
> Did you confirm this issue on RHEL5?

I confirmed only the kernel's source code. The version is 2.6.18-53.el5.

Thanks,
KUWAMURA Shin'ya


Internal Status set to 'Waiting on Support'
Status set to: Waiting on Tech

This event sent from IssueTracker by csnook  [Support Engineering Group]
 issue 138409
Comment 4 Issue Tracker 2007-11-30 14:44:00 EST
General Escalation Information
State the problem

   1. Provide time and date of problem
   2. Provide clear and concise problem description as it is understood at
the time of escalation

 some HVM domain can access another domain memory.
Tristan Gingold wrote:
 This is a security hole as it allowed a VTi domain to read memory of any
other domain.
  http://lists.xensource.com/archives/html/xen-ia64-devel/2007-10/m
sg00189.html


   3. State specific action requested of SEG

Please escalate to Engineering.

   4. State whether or not a defect in the product is suspected

   5. If there is a proposed patch, make sure it is in unified diff format
(diff -pruN) 

http://lists.xensource.com/archives/html/xen-ia64-devel/2007-10/m
sg00189.html




Issue escalated to Support Engineering Group by: mmatsuya.
Internal Status set to 'Waiting on SEG'

This event sent from IssueTracker by csnook  [Support Engineering Group]
 issue 138409
Comment 6 Jan Lieskovsky 2007-12-03 09:57:43 EST
This one has not assigned CVE number yet. Will attach it as soon as it gets one.
Comment 7 Bill Burns 2007-12-12 10:36:50 EST
Marking ia64 as that is the only architecture concerned.
Comment 13 Jarod Wilson 2007-12-14 10:35:42 EST
Created attachment 289141 [details]
back-port of relevant upstream changesets

Here's the backport of the relevant upstream changesets, plus one additional
fix:

http://lists.xensource.com/archives/html/xen-ia64-devel/2007-12/msg00133.html
Comment 20 Red Hat Product Security 2008-07-25 06:21:00 EDT
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0154.html


Note You need to log in before you can comment on or make changes to this bug.