Escalated to Bugzilla from IssueTracker
RHN System ID: Customer Contact Name: Atsushi SAKAI Summary: [Xen][5.2] Security: some HVM domain can access another domain memory. Version-Release number of selected component. Red Hat Enterprise Linux Version Number: 5.1RC Release Number: none Architecture: IA64 Kernel Version: 2.6.18 Related Package Version: none Related Middleware/Application: none Drivers or hardware or archtecture dependency: “None. This bug is generated regardless of driver.” “None. This bug is generated regardless of hardware.” IA64 Description of Problem: some HVM domain can access another domain memory. Tristan Gingold wrote: This is a security hole as it allowed a VTi domain to read memory of any other domain. http://lists.xensource.com/archives/html/xen-ia64-devel/2007-10/msg00189.html How reproducible: Always Step to Reproduce: some security fault application get root privilege on guest OS(HVM). and executes memory access in kernel mode. Actual Results: Can access another domain memory. Expected Results: Cannot access another domain memory Summary of actions taken to resolve issue: none Location of diagnostic data: none Hardware configuration: Model: PRIMEQUEST CPU Info: Itanium 2 Memory Info: 32GB Hardware Component Information: none Configuration Info: none Business Impact: Security fault. Fix Target: 5.2 errata Request: None Hotfix Request: None Additional Info: 16210: [IA64] Define IA64_DOMAIN_RID_BITS_OFFSET. http://xenbits.xensource.com/xen-unstable.hg?rev/71fcc70ea78b 16212: [IA64] Check range of r2 for mov rr[r3]=r2 http://xenbits.xensource.com/xen-unstable.hg?rev/359484cee7d9 This event sent from IssueTracker by csnook [Support Engineering Group] issue 138409
Hi Sakai-san, I'll escalate this issue as a security issue. On ahead, please let me confirm one point. - Did you confirm this issue on RHEL5? If you confirmed it, we need the sysreport. Even if you didn't confirm, I'll escalate this to Engineering to have them review this. Regards, ## Please set the version of RHEL having the problem to ## the form "version" on IT tickets. ## I'll change into 5.1. Internal Status set to 'Waiting on Customer' Status set to: Waiting on Client Priority set to: 1 Version changed from '5.2' to '5.1' This event sent from IssueTracker by csnook [Support Engineering Group] issue 138409
> Did you confirm this issue on RHEL5? I confirmed only the kernel's source code. The version is 2.6.18-53.el5. Thanks, KUWAMURA Shin'ya Internal Status set to 'Waiting on Support' Status set to: Waiting on Tech This event sent from IssueTracker by csnook [Support Engineering Group] issue 138409
General Escalation Information State the problem 1. Provide time and date of problem 2. Provide clear and concise problem description as it is understood at the time of escalation some HVM domain can access another domain memory. Tristan Gingold wrote: This is a security hole as it allowed a VTi domain to read memory of any other domain. http://lists.xensource.com/archives/html/xen-ia64-devel/2007-10/m sg00189.html 3. State specific action requested of SEG Please escalate to Engineering. 4. State whether or not a defect in the product is suspected 5. If there is a proposed patch, make sure it is in unified diff format (diff -pruN) http://lists.xensource.com/archives/html/xen-ia64-devel/2007-10/m sg00189.html Issue escalated to Support Engineering Group by: mmatsuya. Internal Status set to 'Waiting on SEG' This event sent from IssueTracker by csnook [Support Engineering Group] issue 138409
This one has not assigned CVE number yet. Will attach it as soon as it gets one.
Marking ia64 as that is the only architecture concerned.
Created attachment 289141 [details] back-port of relevant upstream changesets Here's the backport of the relevant upstream changesets, plus one additional fix: http://lists.xensource.com/archives/html/xen-ia64-devel/2007-12/msg00133.html
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0154.html