Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 655623 (CVE-2010-4238) - CVE-2010-4238 kernel: Xen Dom0 crash with Windows 2008 R2 64bit DomU + GPLPV
Summary: CVE-2010-4238 kernel: Xen Dom0 crash with Windows 2008 R2 64bit DomU + GPLPV
Status: NEW
Alias: CVE-2010-4238
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 635638 655624
TreeView+ depends on / blocked
Reported: 2010-11-22 01:25 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 17:01 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0017 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.6 kernel security and bug fix update 2011-01-13 10:37:42 UTC

Description Eugene Teo (Security Response) 2010-11-22 01:25:11 UTC
Description of problem:
Dom0 crashes when installing GPLPV drivers on Windows 2008 R2 guest.

Xen version: 3.1.2-194.11.3.el5 
Dom0 kernel: 2.6.18-194.11.3.el5xen 
GPLPV: gplpv_Vista2008x64_0.11.0.213.msi and older

Redirected to serial console output:

Unable to handle kernel NULL pointer dereference at 0000000000000108 RIP:
 [<ffffffff8883f03f>] :blkbk:update_blkif_status+0x21f/0x2ae
Oops: 0000 [1] SMP
last sysfs file: /class/net/lo/ifindex
Modules linked in: tun xfs ocfs2(U) ipt_MASQUERADE netloop iptable_nat ip_nat
netbk blktap blkbk mptctl mptbase ipmi_watchdog ipmi_si(U) ipmi_devintf(U)
ipmi_msghandler(U) autofs4 hidp l2cap bluetooth ocfs2_dlmfs(U) ocfs2_dlm(U)
ocfs2_nodemanager(U) configfs lockd sunrpc bonding ip_conntrack_netbios_ns
ipt_REJECT xt_state ip_conntrack nfnetlink xt_physdev bridge iptable_filter
ip_tables ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables ipv6
xfrm_nalgo crypto_api be2iscsi ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core
ib_addr iscsi_tcp bnx2i(U) cnic(U) cxgb3i cxgb3 libiscsi_tcp libiscsi2
scsi_transport_iscsi2 scsi_transport_iscsi loop dm_round_robin dm_multipath
scsi_dh video backlight sbs power_meter hwmon i2c_ec i2c_core dell_wmi wmi
button battery asus_acpi ac parport_pc lp parport sr_mod cdrom sg serio_raw
pcspkr hpilo serial_core bnx2x(U) 8021q dm_raid45 dm_message dm_region_hash
dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod usb_storage shpchp
cciss(U) sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 69, comm: xenwatch Tainted: G 2.6.18-194.11.3.el5xen 0000001
RIP: e030:[<ffffffff8883f03f>] [<ffffffff8883f03f>]
RSP: e02b:ffff88003e413df0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88003db2f620 RCX: 0000000000000003
RDX: ffffffffff578000 RSI: fffffffffffffffb RDI: 0000000000000000
RBP: ffff880031227b70 R08: 00000000ffffffff R09: 0000000000000020
R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8800087edb40
R13: 0000000000000000 R14: ffff880000e0bcf0 R15: ffffffff8029c1ef
FS: 00002b79280d26e0(0000) GS:ffffffff805d2100(0000) knlGS:0000000000000000
CS: e033 DS: 0000 ES: 0000
Process xenwatch (pid: 69, threadinfo ffff88003e412000, task ffff88003e3ea080)
Stack: 2e6b6361626b6c62 0000006364682e33 ffff880000000025 ffff8800087edb40
 ffff880034383c00 ffff8800087edb40 ffff880034383c00 ffffffff8883f2eb
 6669636570736e75 737361202c646569
Call Trace:
 [<ffffffff8883f2eb>] :blkbk:frontend_changed+0x21d/0x226
 [<ffffffff803b9c78>] xenwatch_thread+0x0/0x135
 [<ffffffff803b90ca>] xenwatch_handle_callback+0x15/0x48
 [<ffffffff803b9d94>] xenwatch_thread+0x11c/0x135
 [<ffffffff8029c407>] autoremove_wake_function+0x0/0x2e
 [<ffffffff8029c1ef>] keventd_create_kthread+0x0/0xc4
 [<ffffffff80233be4>] kthread+0xfe/0x132
 [<ffffffff80260b2c>] child_rip+0xa/0x12
 [<ffffffff8029c1ef>] keventd_create_kthread+0x0/0xc4
 [<ffffffff80233ae6>] kthread+0x0/0x132
 [<ffffffff80260b22>] child_rip+0x0/0x12

Code: 48 8b b8 08 01 00 00 e8 b3 f6 a7 f7 85 c0 89 c6 74 0d 48 8b
RIP [<ffffffff8883f03f>] :blkbk:update_blkif_status+0x21f/0x2ae
 RSP <ffff88003e413df0>
CR2: 0000000000000108
 <0>Kernel panic - not syncing: Fatal exception
 (XEN) Domain 0 crashed: rebooting machine in 5 seconds.



Red Hat would like to thank Vladymyr Denysov for reporting this issue.

Comment 4 errata-xmlrpc 2011-01-13 22:02:09 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html

Comment 5 errata-xmlrpc 2011-01-14 09:03:27 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html

Note You need to log in before you can comment on or make changes to this bug.