Bug 728042 - (CVE-2011-2901) CVE-2011-2901 kernel: xen: off-by-one shift in x86_64 __addr_ok()
CVE-2011-2901 kernel: xen: off-by-one shift in x86_64 __addr_ok()
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 719850 728043 753009 798934
Blocks: 728040
  Show dependency treegraph
Reported: 2011-08-03 21:35 EDT by Eugene Teo (Security Response)
Modified: 2016-11-08 10:59 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-05-10 04:16:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
upstream patch (1.01 KB, patch)
2011-09-02 17:13 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Eugene Teo (Security Response) 2011-08-03 21:35:24 EDT
The x86_64 __addr_ok() macro intends to ensure that the checked address is either in the positive half of the 48-bit virtual address space, or above the Xen-reserved area. However, the current shift count is off-by-one, allowing full access to the "negative half" too, via certain hypercalls which ignore virtual-address bits [63:48]. 

As a result, a malicious guest administrator on a vulnerable system is able to crash the host.

There are no known further exploits but these have not been ruled out.
Comment 2 Petr Matousek 2011-08-11 10:32:21 EDT

The versions of the Linux kernel as shipped with Red Hat Enterprise Linux 4, 6,
and Red Hat Enterprise MRG are not affected. This has been addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-1212.html.
Comment 5 Vincent Danen 2011-09-02 17:13:28 EDT
Created attachment 521288 [details]
upstream patch

From the upstream advisory:  http://www.openwall.com/lists/oss-security/2011/09/02/2
Comment 6 errata-xmlrpc 2011-09-13 11:44:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1212 https://rhn.redhat.com/errata/RHSA-2011-1212.html
Comment 8 errata-xmlrpc 2011-12-13 16:29:25 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6.Z - Server Only

Via RHSA-2011:1813 https://rhn.redhat.com/errata/RHSA-2011-1813.html
Comment 9 Petr Matousek 2012-03-01 05:29:25 EST
Created xen tracking bugs for this issue

Affects: fedora-all [bug 798934]

Note You need to log in before you can comment on or make changes to this bug.