Bug 500945 - (CVE-2009-1758) CVE-2009-1758 kernel: xen: local denial of service
CVE-2009-1758 kernel: xen: local denial of service
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20090515,public=20090513,imp...
: Security
Depends On: 500948 500949 500950 500951 523641
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-15 00:05 EDT by Eugene Teo (Security Response)
Modified: 2011-04-06 04:06 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-06 04:06:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2009-05-15 00:05:13 EDT
Description of problem:
The missing check of the interrupted code's code selector in hypervisor_callback() allowed a user mode application to oops (and perhaps crash) the kernel.

Further adjustments:
- the 'main' critical region does not include the jmp following the
  disabling of interrupts
- the sysexit_[se]crit range checks got broken at some point - the
  sysexit ciritcal region is always at higher addresses than the 'main'
  one, yielding the check pointless (but consuming execution time);
  since the supervisor mode kernel isn't actively used afaict, I moved
  that code into an #ifdef using a hypothetical config option
- the use of a numeric label across more than 300 lines of code always
  seemed pretty fragile to me, so the patch replaces this with a local
  named label
- streamlined the critical_region_fixup code to eliminate a branch

http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html
Comment 1 Eugene Teo (Security Response) 2009-05-15 00:07:14 EDT
A user mode application running in a x86 32bit Xen Guest could Ooops (denial of service) of the guest by causing a segfault in certain address ranges.

(Just jumping to an address between "ecrit" and "scrit" symbols is sufficient.)

This is not a mainline Linux kernel issue, the bug is in the XEN patchset against the Linux kernel.

http://article.gmane.org/gmane.comp.security.oss.general/1757
Comment 8 Eugene Teo (Security Response) 2009-05-15 03:43:12 EDT
Upstream commit:
http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/9b9454800544
Comment 16 Jan Lieskovsky 2009-05-22 07:13:03 EDT
CVE-2009-1578:

The hypervisor_callback function in Xen, possibly before 3.4.0, as
applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other
versions allows guest user applications to cause a denial of service
(kernel oops) of the guest OS by triggering a segmentation fault in
"certain address ranges." 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1758
http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html
http://www.openwall.com/lists/oss-security/2009/05/14/2
Comment 19 errata-xmlrpc 2009-06-16 18:34:30 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1106 https://rhn.redhat.com/errata/RHSA-2009-1106.html
Comment 20 errata-xmlrpc 2009-06-30 04:06:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1132 https://rhn.redhat.com/errata/RHSA-2009-1132.html

Note You need to log in before you can comment on or make changes to this bug.