Red Hat Bugzilla – Bug 470954
[REG] kernel-xen 3.1.1 does not prevent modification of the CR4 TSC from applications (DoS possible)
Last modified: 2009-02-18 04:07:03 EST
+++ This bug was initially created as a clone of Bug #377561 +++
Description of problem:
Xen 3.1.1 does not prevent modification of the CR4 TSC from
applications, which allows pv guests to cause a denial of service
--- Additional comment from firstname.lastname@example.org on 2007-11-16 09:59:27 EDT ---
The official post is here -- there is also patch provided:
--- Additional comment from email@example.com on 2008-08-10 21:28:06 EDT ---
Proposed patch for then rhel-5.2
--- Additional comment from firstname.lastname@example.org on 2008-09-12 10:13:05 EDT ---
Created an attachment (id=316578)
Patch to allow guest kernels to trap CR4 access
This is the current patch I've been testing for this issue. It's pretty close to xen-unstable c/s 16259 + 16333, but has the following modifications:
1) irq_masked() is called in a few different places in the 3.1 codebase, so fix up all of the callers of it.
2) Remove all calls to pge_off and pge_on. Upstream went with a re-written flushing mechanism before this c/s went in, so just make sure to follow the pge_off/pge_on discipline that was there.
--- Additional comment from email@example.com on 2008-09-16 05:46:59 EDT ---
(From update of attachment 316578 [details])
Since this is the master tracking bug, this patch doesn't belong here. Obsoleting.
The fix for this has caused regressions in some systems. This bug is used to keep track of the regression to ensure that we resolve this ASAP.
(In reply to comment #1)
> The fix for this has caused regressions in some systems. This bug is used to
> keep track of the regression to ensure that we resolve this ASAP.
*this* refers to CVE-2007-5907. Thanks.
(In reply to comment #3)
> (In reply to comment #1)
> > The fix for this has caused regressions in some systems. This bug is used to
> > keep track of the regression to ensure that we resolve this ASAP.
> *this* refers to CVE-2007-5907. Thanks.
Just to clarify. The fix for CVE-2007-5907 did not introduce a new security vulnerability. It introduced a normal bug where the kernel does not boot on certain hardware. I have removed the assigned CVE name, and Security keyword from the bugs. Thanks.
The CVE and the regression caused by the initial patch has been solved in both the 5.2.z stream and 5.3. I'm not quite sure of the procedure with security bugs, but can we close this out now?
Yes. Please close the bug, thanks.
Great, thanks. Closing.