Description of problem: The missing check of the interrupted code's code selector in hypervisor_callback() allowed a user mode application to oops (and perhaps crash) the kernel. Further adjustments: - the 'main' critical region does not include the jmp following the disabling of interrupts - the sysexit_[se]crit range checks got broken at some point - the sysexit ciritcal region is always at higher addresses than the 'main' one, yielding the check pointless (but consuming execution time); since the supervisor mode kernel isn't actively used afaict, I moved that code into an #ifdef using a hypothetical config option - the use of a numeric label across more than 300 lines of code always seemed pretty fragile to me, so the patch replaces this with a local named label - streamlined the critical_region_fixup code to eliminate a branch http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html
A user mode application running in a x86 32bit Xen Guest could Ooops (denial of service) of the guest by causing a segfault in certain address ranges. (Just jumping to an address between "ecrit" and "scrit" symbols is sufficient.) This is not a mainline Linux kernel issue, the bug is in the XEN patchset against the Linux kernel. http://article.gmane.org/gmane.comp.security.oss.general/1757
Upstream commit: http://xenbits.xensource.com/linux-2.6.18-xen.hg?rev/9b9454800544
CVE-2009-1578: The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in "certain address ranges." References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1758 http://lists.xensource.com/archives/html/xen-devel/2009-05/msg00561.html http://www.openwall.com/lists/oss-security/2009/05/14/2
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1106 https://rhn.redhat.com/errata/RHSA-2009-1106.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:1132 https://rhn.redhat.com/errata/RHSA-2009-1132.html