Bug 658155 - (CVE-2010-4255) CVE-2010-4255 xen: 64-bit PV xen guest can crash host by accessing hypervisor per-domain memory area
CVE-2010-4255 xen: 64-bit PV xen guest can crash host by accessing hypervisor...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20101130,public=20101129,sou...
: Security
Depends On: 658353 658354
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-29 09:26 EST by Paolo Bonzini
Modified: 2015-08-19 05:00 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-06 04:04:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Comment 1 Adrien Kunysz 2010-11-29 10:38:58 EST
The bug description and patch in upstream xen-devel mailing list: http://lists.xensource.com/archives/html/xen-devel/2010-11/msg01650.html
Comment 2 Eugene Teo (Security Response) 2010-11-30 00:00:52 EST
handle_gdt_ldt_mapping_fault() is intended to deal with indirect accesses (i.e. those caused by descriptor loads) to the GDT/LDT mapping area only. While for 32-bit segment limits indeed prevent the function being entered for direct accesses (i.e. a #GP fault will be raised even before the address translation gets done, on 64-bit even user mode accesses would lead to control reaching the BUG_ON() at the beginning of that function.

Fortunately the fix is simple: Since the guest kernel runs in ring 3, any guest direct access will have the "user mode" bit set, whereas descriptor loads always do the translations to access the actual descriptors as kernel mode ones.
Comment 5 errata-xmlrpc 2011-01-13 17:02:41 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html
Comment 6 errata-xmlrpc 2011-01-14 04:03:34 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html

Note You need to log in before you can comment on or make changes to this bug.