Red Hat Bugzilla – Bug 530515
CVE-2009-3638 kernel: kvm: integer overflow in kvm_dev_ioctl_get_supported_cpuid()
Last modified: 2012-07-16 13:11:58 EDT
Quote from the upstream commit:
"The number of entries is multiplied by the entry size, which can overflow on 32-bit hosts. Bound the entry count instead."
if (cpuid->nent < 1)
+ if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
+ cpuid->nent = KVM_MAX_CPUID_ENTRIES;
r = -ENOMEM;
cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent);
This one can be triggered if /dev/kvm is user accessible (which is recommended...). This was introduced in v2.6.25-rc1, and fixed in v2.6.32-rc4. Only affects 32-bit machines.
Also fixed in 184.108.40.206
(In reply to comment #0)
> This one can be triggered if /dev/kvm is user accessible (which is
> recommended...). This was introduced in v2.6.25-rc1, and fixed in v2.6.32-rc4.
> Only affects 32-bit machines.
Since this affects 32-bit machines, and we only support x86_64 KVM hosts on Red Hat Enterprise Linux 5, this bug will be closed as NOTABUG.
kernel-220.127.116.11-96.fc11 has been submitted as an update for Fedora 11.
kernel-18.104.22.168-170.2.113.fc10 has been submitted as an update for Fedora 10.
kernel-22.214.171.124-96.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
kernel-126.96.36.199-170.2.113.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.