Bug 541160 (CVE-2009-4031) - CVE-2009-4031 kernel: KVM: x86 emulator: limit instructions to 15 bytes
Summary: CVE-2009-4031 kernel: KVM: x86 emulator: limit instructions to 15 bytes
Keywords:
Status: VERIFIED
Alias: CVE-2009-4031
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 541164 541165 545637 545645
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-25 05:03 UTC by Eugene Teo (Security Response)
Modified: 2019-09-29 12:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1659 normal SHIPPED_LIVE Moderate: kvm security and bug fix update 2009-12-09 16:28:49 UTC
Red Hat Product Errata RHSA-2009:1692 normal SHIPPED_LIVE Important: rhev-hypervisor security and bug fix update 2009-12-23 14:05:01 UTC

Description Eugene Teo (Security Response) 2009-11-25 05:03:06 UTC
Description of problem:
While we are never normally passed an instruction that exceeds 15 bytes, smp games can cause us to attempt to interpret one, which will cause large latencies in non-preempt hosts.

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git;a=commitdiff;h=e42d9b8141d1f54ff72ad3850bb110c95a5f3b88

Comment 4 Jan Lieskovsky 2009-11-30 13:55:59 UTC
Mitre's CVE-2009-4031 record:
-----------------------------

The do_insn_fetch function in arch/x86/kvm/emulate.c in the x86
emulator in the KVM subsystem in the Linux kernel before
2.6.32-rc8-next-20091125 tries to interpret instructions that contain
too many bytes to be valid, which allows guest OS users to cause a
denial of service (increased scheduling latency) on the host OS via
unspecified manipulations related to SMP support.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4031
http://www.openwall.com/lists/oss-security/2009/11/25/3
http://www.openwall.com/lists/oss-security/2009/11/25/1
http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git;a=commit;h=e42d9b8141d1f54ff72ad3850bb110c95a5f3b88
http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.32-rc8-next-20091125.gz

Comment 9 errata-xmlrpc 2009-12-09 16:28:52 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1659 https://rhn.redhat.com/errata/RHSA-2009-1659.html

Comment 10 Fedora Update System 2009-12-10 22:54:33 UTC
kernel-2.6.27.41-170.2.117.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.41-170.2.117.fc10

Comment 11 Fedora Update System 2009-12-11 18:26:13 UTC
kernel-2.6.27.41-170.2.117.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 errata-xmlrpc 2009-12-23 14:05:07 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Virtualization for RHEL-5

Via RHSA-2009:1692 https://rhn.redhat.com/errata/RHSA-2009-1692.html

Comment 13 Aristeu Rozanski 2010-01-26 13:08:58 UTC
Patch present on current RHEL6 git tree.


Note You need to log in before you can comment on or make changes to this bug.