Bug 470954 - [REG] kernel-xen 3.1.1 does not prevent modification of the CR4 TSC from applications (DoS possible)
[REG] kernel-xen 3.1.1 does not prevent modification of the CR4 TSC from appl...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Regression
Depends On: CVE-2007-5907 470955 470956
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-10 22:27 EST by Eugene Teo (Security Response)
Modified: 2009-02-18 04:07 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-18 04:07:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2008-11-10 22:27:01 EST
+++ This bug was initially created as a clone of Bug #377561 +++

Description of problem:

Xen 3.1.1 does not prevent modification of the CR4 TSC from
applications, which allows pv guests to cause a denial of service
(crash). (CVE-2007-5907).

--- Additional comment from jlieskov@redhat.com on 2007-11-16 09:59:27 EDT ---

The official post is here -- there is also patch provided: 
 
http://lists.xensource.com/archives/html/xen-devel/2007-10/msg00932.html 

--- Additional comment from eteo@redhat.com on 2008-08-10 21:28:06 EDT ---

Proposed patch for then rhel-5.2
http://post-office.corp.redhat.com/archives/rhkernel-list/2008-March/msg01393.html

--- Additional comment from clalance@redhat.com on 2008-09-12 10:13:05 EDT ---

Created an attachment (id=316578)
Patch to allow guest kernels to trap CR4 access

This is the current patch I've been testing for this issue.  It's pretty close to xen-unstable c/s 16259 + 16333, but has the following modifications:

1)  irq_masked() is called in a few different places in the 3.1 codebase, so fix up all of the callers of it.
2)  Remove all calls to pge_off and pge_on.  Upstream went with a re-written flushing mechanism before this c/s went in, so just make sure to follow the pge_off/pge_on discipline that was there.

Chris Lalancette

--- Additional comment from clalance@redhat.com on 2008-09-16 05:46:59 EDT ---

(From update of attachment 316578 [details])
Since this is the master tracking bug, this patch doesn't belong here.  Obsoleting.
Comment 1 Eugene Teo (Security Response) 2008-11-10 22:29:00 EST
The fix for this has caused regressions in some systems. This bug is used to keep track of the regression to ensure that we resolve this ASAP.
Comment 3 Eugene Teo (Security Response) 2008-11-10 22:46:24 EST
(In reply to comment #1)
> The fix for this has caused regressions in some systems. This bug is used to
> keep track of the regression to ensure that we resolve this ASAP.

*this* refers to CVE-2007-5907. Thanks.
Comment 4 Eugene Teo (Security Response) 2008-11-11 03:27:16 EST
(In reply to comment #3)
> (In reply to comment #1)
> > The fix for this has caused regressions in some systems. This bug is used to
> > keep track of the regression to ensure that we resolve this ASAP.
> 
> *this* refers to CVE-2007-5907. Thanks.

Just to clarify. The fix for CVE-2007-5907 did not introduce a new security vulnerability. It introduced a normal bug where the kernel does not boot on certain hardware. I have removed the assigned CVE name, and Security keyword from the bugs. Thanks.
Comment 5 Chris Lalancette 2009-01-22 03:28:21 EST
The CVE and the regression caused by the initial patch has been solved in both the 5.2.z stream and 5.3.  I'm not quite sure of the procedure with security bugs, but can we close this out now?

Chris Lalancette
Comment 6 Eugene Teo (Security Response) 2009-02-18 02:33:46 EST
Yes. Please close the bug, thanks.
Comment 7 Chris Lalancette 2009-02-18 04:07:03 EST
Great, thanks.  Closing.

Note You need to log in before you can comment on or make changes to this bug.