Bug 658155 (CVE-2010-4255) - CVE-2010-4255 xen: 64-bit PV xen guest can crash host by accessing hypervisor per-domain memory area
Summary: CVE-2010-4255 xen: 64-bit PV xen guest can crash host by accessing hypervisor...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2010-4255
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 658353 658354
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-29 14:26 UTC by Paolo Bonzini
Modified: 2019-09-29 12:41 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-04-06 08:04:25 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0017 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.6 kernel security and bug fix update 2011-01-13 10:37:42 UTC

Comment 1 Adrien Kunysz 2010-11-29 15:38:58 UTC
The bug description and patch in upstream xen-devel mailing list: http://lists.xensource.com/archives/html/xen-devel/2010-11/msg01650.html

Comment 2 Eugene Teo (Security Response) 2010-11-30 05:00:52 UTC
handle_gdt_ldt_mapping_fault() is intended to deal with indirect accesses (i.e. those caused by descriptor loads) to the GDT/LDT mapping area only. While for 32-bit segment limits indeed prevent the function being entered for direct accesses (i.e. a #GP fault will be raised even before the address translation gets done, on 64-bit even user mode accesses would lead to control reaching the BUG_ON() at the beginning of that function.

Fortunately the fix is simple: Since the guest kernel runs in ring 3, any guest direct access will have the "user mode" bit set, whereas descriptor loads always do the translations to access the actual descriptors as kernel mode ones.

Comment 5 errata-xmlrpc 2011-01-13 22:02:41 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html

Comment 6 errata-xmlrpc 2011-01-14 09:03:34 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html


Note You need to log in before you can comment on or make changes to this bug.