Bug 702657 (CVE-2011-1780) - CVE-2011-1780 kernel: xen: svm: insufficiencies in handling emulated instructions during vm exits
Summary: CVE-2011-1780 kernel: xen: svm: insufficiencies in handling emulated instruct...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1780
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 703715 703716
Blocks: 718617
TreeView+ depends on / blocked
 
Reported: 2011-05-06 13:52 UTC by Huang Wenlong
Modified: 2021-02-24 15:29 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-15 16:49:32 UTC
Embargoed:

Attachments (Terms of Use)
check inst_len and return on zero (3.68 KB, patch)
2011-05-17 18:02 UTC, Andrew Jones 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1065 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.7 kernel security and bug fix update 2011-07-21 09:21:37 UTC
Red Hat Product Errata RHSA-2011:1163 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-08-16 18:34:09 UTC

Description Huang Wenlong 2011-05-06 13:52:31 UTC 
A bug was found in the way Xen handles instruction emulation during VM exits. Malicious guest user space process running in SMP guest can trick the emulator into reading different instruction than the one that caused the VM exit. To do so it should run legitimate instruction that causes VM exit in one thread and replace this instruction to another one from second thread. An unprivileged guest user can potentially use this flaw to crash the host. 

-------------------------------------------------------------

Original name:
xen: svvp Disable Enable With IO will reboot the host which CPU is AMD

Description of problem:
svvp Disable Enable With IO will reboot the host 

svvp "Disable Enable with IO"'s child job "Driver Verifier -Enable"'s child job "Reboot System Under Test" should only reboot the guest , but when the guest prepare to enter the desktop after reboot , the host (SUT) will reboot .


Version-Release number of selected component (if applicable):
xen-3.0.3-129.el5
kernel-xen-2.6.18-257.el5
xenpv-win-1.3.4-9.el5

How reproducible:
100%


Steps to Reproduce:
1. run the Disable Enable With IO
2.
3.
  
Actual results:
host will reboot

Expected results:
host should not reboot 

Additional info:
Sometimes the guest even do not run the disable and enable jobs ,the host will reboot when I reboot the guest which run the disable and enable job once.
Comment 27 Petr Matousek 2011-05-12 15:05:32 UTC 
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6, and Red Hat Enterprise MRG. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-1065.html.

Also, only systems running on x86 architecture with AMD processor and SVM virtualization extension enabled are affected.
Comment 40 errata-xmlrpc 2011-07-21 09:21:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1065 https://rhn.redhat.com/errata/RHSA-2011-1065.html
Comment 41 errata-xmlrpc 2011-07-21 11:45:31 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1065 https://rhn.redhat.com/errata/RHSA-2011-1065.html
Comment 42 errata-xmlrpc 2011-08-16 18:34:15 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6.Z - Server Only

Via RHSA-2011:1163 https://rhn.redhat.com/errata/RHSA-2011-1163.html
Note You need to log in before you can comment on or make changes to this bug.