Bug 702657 - (CVE-2011-1780) CVE-2011-1780 kernel: xen: svm: insufficiencies in handling emulated instructions during vm exits
CVE-2011-1780 kernel: xen: svm: insufficiencies in handling emulated instruct...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
x86_64 Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
reported=20110511,public=20110707,imp...
: Security
Depends On: 703715 703716
Blocks: 718617
  Show dependency treegraph
 
Reported: 2011-05-06 09:52 EDT by Huang Wenlong
Modified: 2015-08-02 20:03 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
check inst_len and return on zero (3.68 KB, patch)
2011-05-17 14:02 EDT, Andrew Jones
no flags Details | Diff

  None (edit)
Description Huang Wenlong 2011-05-06 09:52:31 EDT
A bug was found in the way Xen handles instruction emulation during VM exits. Malicious guest user space process running in SMP guest can trick the emulator into reading different instruction than the one that caused the VM exit. To do so it should run legitimate instruction that causes VM exit in one thread and replace this instruction to another one from second thread. An unprivileged guest user can potentially use this flaw to crash the host. 

-------------------------------------------------------------

Original name:
xen: svvp Disable Enable With IO will reboot the host which CPU is AMD

Description of problem:
svvp Disable Enable With IO will reboot the host 

svvp "Disable Enable with IO"'s child job "Driver Verifier -Enable"'s child job "Reboot System Under Test" should only reboot the guest , but when the guest prepare to enter the desktop after reboot , the host (SUT) will reboot .


Version-Release number of selected component (if applicable):
xen-3.0.3-129.el5
kernel-xen-2.6.18-257.el5
xenpv-win-1.3.4-9.el5

How reproducible:
100%


Steps to Reproduce:
1. run the Disable Enable With IO
2.
3.
  
Actual results:
host will reboot

Expected results:
host should not reboot 

Additional info:
Sometimes the guest even do not run the disable and enable jobs ,the host will reboot when I reboot the guest which run the disable and enable job once.
Comment 27 Petr Matousek 2011-05-12 11:05:32 EDT
Statement:

This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6, and Red Hat Enterprise MRG. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-1065.html.

Also, only systems running on x86 architecture with AMD processor and SVM virtualization extension enabled are affected.
Comment 40 errata-xmlrpc 2011-07-21 05:21:48 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1065 https://rhn.redhat.com/errata/RHSA-2011-1065.html
Comment 41 errata-xmlrpc 2011-07-21 07:45:31 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1065 https://rhn.redhat.com/errata/RHSA-2011-1065.html
Comment 42 errata-xmlrpc 2011-08-16 14:34:15 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6.Z - Server Only

Via RHSA-2011:1163 https://rhn.redhat.com/errata/RHSA-2011-1163.html

Note You need to log in before you can comment on or make changes to this bug.