Bug 728042 (CVE-2011-2901) - CVE-2011-2901 kernel: xen: off-by-one shift in x86_64 __addr_ok()
Summary: CVE-2011-2901 kernel: xen: off-by-one shift in x86_64 __addr_ok()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-2901
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 719850 728043 753009 798934
Blocks: 728040
TreeView+ depends on / blocked
 
Reported: 2011-08-04 01:35 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 14:58 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-10 08:16:57 UTC
Embargoed:


Attachments (Terms of Use)
upstream patch (1.01 KB, patch)
2011-09-02 21:13 UTC, Vincent Danen
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1212 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-09-06 21:41:35 UTC
Red Hat Product Errata RHSA-2011:1813 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-12-14 02:28:38 UTC

Description Eugene Teo (Security Response) 2011-08-04 01:35:24 UTC
The x86_64 __addr_ok() macro intends to ensure that the checked address is either in the positive half of the 48-bit virtual address space, or above the Xen-reserved area. However, the current shift count is off-by-one, allowing full access to the "negative half" too, via certain hypercalls which ignore virtual-address bits [63:48]. 

As a result, a malicious guest administrator on a vulnerable system is able to crash the host.

There are no known further exploits but these have not been ruled out.

Comment 2 Petr Matousek 2011-08-11 14:32:21 UTC
Statement:

The versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6,
and Red Hat Enterprise MRG are not affected. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-1212.html.

Comment 5 Vincent Danen 2011-09-02 21:13:28 UTC
Created attachment 521288 [details]
upstream patch

From the upstream advisory:  http://www.openwall.com/lists/oss-security/2011/09/02/2

Comment 6 errata-xmlrpc 2011-09-13 15:44:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1212 https://rhn.redhat.com/errata/RHSA-2011-1212.html

Comment 8 errata-xmlrpc 2011-12-13 21:29:25 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6.Z - Server Only

Via RHSA-2011:1813 https://rhn.redhat.com/errata/RHSA-2011-1813.html

Comment 9 Petr Matousek 2012-03-01 10:29:25 UTC
Created xen tracking bugs for this issue

Affects: fedora-all [bug 798934]


Note You need to log in before you can comment on or make changes to this bug.