Bug 655623 - (CVE-2010-4238) CVE-2010-4238 kernel: Xen Dom0 crash with Windows 2008 R2 64bit DomU + GPLPV
CVE-2010-4238 kernel: Xen Dom0 crash with Windows 2008 R2 64bit DomU + GPLPV
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,reported=20100920,pub...
: Security
Depends On: 635638 655624
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-21 20:25 EST by Eugene Teo (Security Response)
Modified: 2015-08-19 04:59 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-11-21 20:25:11 EST
Description of problem:
Dom0 crashes when installing GPLPV drivers on Windows 2008 R2 guest.

Xen version: 3.1.2-194.11.3.el5 
Dom0 kernel: 2.6.18-194.11.3.el5xen 
GPLPV: gplpv_Vista2008x64_0.11.0.213.msi and older

Redirected to serial console output:

Unable to handle kernel NULL pointer dereference at 0000000000000108 RIP:
 [<ffffffff8883f03f>] :blkbk:update_blkif_status+0x21f/0x2ae
PGD 0
Oops: 0000 [1] SMP
last sysfs file: /class/net/lo/ifindex
CPU 2
Modules linked in: tun xfs ocfs2(U) ipt_MASQUERADE netloop iptable_nat ip_nat
netbk blktap blkbk mptctl mptbase ipmi_watchdog ipmi_si(U) ipmi_devintf(U)
ipmi_msghandler(U) autofs4 hidp l2cap bluetooth ocfs2_dlmfs(U) ocfs2_dlm(U)
ocfs2_nodemanager(U) configfs lockd sunrpc bonding ip_conntrack_netbios_ns
ipt_REJECT xt_state ip_conntrack nfnetlink xt_physdev bridge iptable_filter
ip_tables ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables ipv6
xfrm_nalgo crypto_api be2iscsi ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core
ib_addr iscsi_tcp bnx2i(U) cnic(U) cxgb3i cxgb3 libiscsi_tcp libiscsi2
scsi_transport_iscsi2 scsi_transport_iscsi loop dm_round_robin dm_multipath
scsi_dh video backlight sbs power_meter hwmon i2c_ec i2c_core dell_wmi wmi
button battery asus_acpi ac parport_pc lp parport sr_mod cdrom sg serio_raw
pcspkr hpilo serial_core bnx2x(U) 8021q dm_raid45 dm_message dm_region_hash
dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod usb_storage shpchp
cciss(U) sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 69, comm: xenwatch Tainted: G 2.6.18-194.11.3.el5xen 0000001
RIP: e030:[<ffffffff8883f03f>] [<ffffffff8883f03f>]
:blkbk:update_blkif_status+0x21f/0x2ae
RSP: e02b:ffff88003e413df0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88003db2f620 RCX: 0000000000000003
RDX: ffffffffff578000 RSI: fffffffffffffffb RDI: 0000000000000000
RBP: ffff880031227b70 R08: 00000000ffffffff R09: 0000000000000020
R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8800087edb40
R13: 0000000000000000 R14: ffff880000e0bcf0 R15: ffffffff8029c1ef
FS: 00002b79280d26e0(0000) GS:ffffffff805d2100(0000) knlGS:0000000000000000
CS: e033 DS: 0000 ES: 0000
Process xenwatch (pid: 69, threadinfo ffff88003e412000, task ffff88003e3ea080)
Stack: 2e6b6361626b6c62 0000006364682e33 ffff880000000025 ffff8800087edb40
 ffff880034383c00 ffff8800087edb40 ffff880034383c00 ffffffff8883f2eb
 6669636570736e75 737361202c646569
Call Trace:
 [<ffffffff8883f2eb>] :blkbk:frontend_changed+0x21d/0x226
 [<ffffffff803b9c78>] xenwatch_thread+0x0/0x135
 [<ffffffff803b90ca>] xenwatch_handle_callback+0x15/0x48
 [<ffffffff803b9d94>] xenwatch_thread+0x11c/0x135
 [<ffffffff8029c407>] autoremove_wake_function+0x0/0x2e
 [<ffffffff8029c1ef>] keventd_create_kthread+0x0/0xc4
 [<ffffffff80233be4>] kthread+0xfe/0x132
 [<ffffffff80260b2c>] child_rip+0xa/0x12
 [<ffffffff8029c1ef>] keventd_create_kthread+0x0/0xc4
 [<ffffffff80233ae6>] kthread+0x0/0x132
 [<ffffffff80260b22>] child_rip+0x0/0x12


Code: 48 8b b8 08 01 00 00 e8 b3 f6 a7 f7 85 c0 89 c6 74 0d 48 8b
RIP [<ffffffff8883f03f>] :blkbk:update_blkif_status+0x21f/0x2ae
 RSP <ffff88003e413df0>
CR2: 0000000000000108
 <0>Kernel panic - not syncing: Fatal exception
 (XEN) Domain 0 crashed: rebooting machine in 5 seconds.

http://bugs.centos.org/bug_view_advanced_page.php?bug_id=4517

Acknowledgements:

Red Hat would like to thank Vladymyr Denysov for reporting this issue.
Comment 4 errata-xmlrpc 2011-01-13 17:02:09 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html
Comment 5 errata-xmlrpc 2011-01-14 04:03:27 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html

Note You need to log in before you can comment on or make changes to this bug.