Bug 500945 - (CVE-2009-1758) CVE-2009-1758 kernel: xen: local denial of service
CVE-2009-1758 kernel: xen: local denial of service
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 500948 500949 500950 500951 523641
  Show dependency treegraph
Reported: 2009-05-15 00:05 EDT by Eugene Teo (Security Response)
Modified: 2011-04-06 04:06 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-04-06 04:06:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1106 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-06-16 18:34:13 EDT
Red Hat Product Errata RHSA-2009:1132 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-06-30 04:06:02 EDT

  None (edit)
Description Eugene Teo (Security Response) 2009-05-15 00:05:13 EDT
Description of problem:
The missing check of the interrupted code's code selector in hypervisor_callback() allowed a user mode application to oops (and perhaps crash) the kernel.

Further adjustments:
- the 'main' critical region does not include the jmp following the
  disabling of interrupts
- the sysexit_[se]crit range checks got broken at some point - the
  sysexit ciritcal region is always at higher addresses than the 'main'
  one, yielding the check pointless (but consuming execution time);
  since the supervisor mode kernel isn't actively used afaict, I moved
  that code into an #ifdef using a hypothetical config option
- the use of a numeric label across more than 300 lines of code always
  seemed pretty fragile to me, so the patch replaces this with a local
  named label
- streamlined the critical_region_fixup code to eliminate a branch

Comment 1 Eugene Teo (Security Response) 2009-05-15 00:07:14 EDT
A user mode application running in a x86 32bit Xen Guest could Ooops (denial of service) of the guest by causing a segfault in certain address ranges.

(Just jumping to an address between "ecrit" and "scrit" symbols is sufficient.)

This is not a mainline Linux kernel issue, the bug is in the XEN patchset against the Linux kernel.

Comment 8 Eugene Teo (Security Response) 2009-05-15 03:43:12 EDT
Upstream commit:
Comment 16 Jan Lieskovsky 2009-05-22 07:13:03 EDT

The hypervisor_callback function in Xen, possibly before 3.4.0, as
applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other
versions allows guest user applications to cause a denial of service
(kernel oops) of the guest OS by triggering a segmentation fault in
"certain address ranges." 

Comment 19 errata-xmlrpc 2009-06-16 18:34:30 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1106 https://rhn.redhat.com/errata/RHSA-2009-1106.html
Comment 20 errata-xmlrpc 2009-06-30 04:06:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1132 https://rhn.redhat.com/errata/RHSA-2009-1132.html

Note You need to log in before you can comment on or make changes to this bug.