Bug 500945 (CVE-2009-1758) - CVE-2009-1758 kernel: xen: local denial of service
Summary: CVE-2009-1758 kernel: xen: local denial of service
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2009-1758
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 500948 500949 500950 500951 523641
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-15 04:05 UTC by Eugene Teo (Security Response)
Modified: 2021-11-12 19:58 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-04-06 08:06:13 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1106 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-06-16 22:34:13 UTC
Red Hat Product Errata RHSA-2009:1132 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-06-30 08:06:02 UTC

Description Eugene Teo (Security Response) 2009-05-15 04:05:13 UTC
Description of problem:
The missing check of the interrupted code's code selector in hypervisor_callback() allowed a user mode application to oops (and perhaps crash) the kernel.

Further adjustments:
- the 'main' critical region does not include the jmp following the
  disabling of interrupts
- the sysexit_[se]crit range checks got broken at some point - the
  sysexit ciritcal region is always at higher addresses than the 'main'
  one, yielding the check pointless (but consuming execution time);
  since the supervisor mode kernel isn't actively used afaict, I moved
  that code into an #ifdef using a hypothetical config option
- the use of a numeric label across more than 300 lines of code always
  seemed pretty fragile to me, so the patch replaces this with a local
  named label
- streamlined the critical_region_fixup code to eliminate a branch

http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html

Comment 1 Eugene Teo (Security Response) 2009-05-15 04:07:14 UTC
A user mode application running in a x86 32bit Xen Guest could Ooops (denial of service) of the guest by causing a segfault in certain address ranges.

(Just jumping to an address between "ecrit" and "scrit" symbols is sufficient.)

This is not a mainline Linux kernel issue, the bug is in the XEN patchset against the Linux kernel.

http://article.gmane.org/gmane.comp.security.oss.general/1757

Comment 8 Eugene Teo (Security Response) 2009-05-15 07:43:12 UTC
Upstream commit:
http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/9b9454800544

Comment 16 Jan Lieskovsky 2009-05-22 11:13:03 UTC
CVE-2009-1578:

The hypervisor_callback function in Xen, possibly before 3.4.0, as
applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other
versions allows guest user applications to cause a denial of service
(kernel oops) of the guest OS by triggering a segmentation fault in
"certain address ranges." 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1758
http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html
http://www.openwall.com/lists/oss-security/2009/05/14/2

Comment 19 errata-xmlrpc 2009-06-16 22:34:30 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1106 https://rhn.redhat.com/errata/RHSA-2009-1106.html

Comment 20 errata-xmlrpc 2009-06-30 08:06:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1132 https://rhn.redhat.com/errata/RHSA-2009-1132.html


Note You need to log in before you can comment on or make changes to this bug.