[Hardy, Karmic] CVE-2010-0435

Brad Figg brad.figg at canonical.com
Thu Feb 3 18:12:59 UTC 2011 

On 02/03/2011 09:19 AM, Stefan Bader wrote:
> Same patch applies to both. Dapper does not have KVM and Lucid was
> fixed by an upstream stable update already. Maverick and Natty should
> be fixed according to comment.
>
> -Stefan
>
>  From 370c6b5200b04645ab1b00bad931ae899cd55471 Mon Sep 17 00:00:00 2001
> From: Gleb Natapov<gleb at redhat.com>
> Date: Wed, 10 Nov 2010 12:08:12 +0200
> Subject: [PATCH] KVM: VMX: fix vmx null pointer dereference on debug register access
>
> CVE-2010-0435
> BugLink: http://bugs.launchpad.net/bugs/712615
>
> There is a bug in KVM that can be used to crash a host on Intel
> machines. If emulator is tricked into emulating mov to/from DR instruction
> it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
> are not initialized. Recently this is not exploitable from guest
> userspace, but malicious guest kernel can trigger it easily.
>
> On upstream bug was fixed differently around 2.6.34.
>
> Signed-off-by: Gleb Natapov<gleb at redhat.com>
> Signed-off-by: Avi Kivity<avi at redhat.com>
> Signed-off-by: Greg Kroah-Hartman<gregkh at suse.de>
> (cherry-picked from commit 370c6b5200b04645ab1b00bad931ae899cd55471 2.6.32.y)
> Signed-off-by: Stefan Bader<stefan.bader at canonical.com>
> ---
>   arch/x86/kvm/x86.c |    6 ++++++
>   1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 724a6ad..0990f0a 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -2782,6 +2782,9 @@ int emulator_get_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long *dest)
>   {
>   	struct kvm_vcpu *vcpu = ctxt->vcpu;
>
> +	if (!kvm_x86_ops->get_dr)
> +		return X86EMUL_UNHANDLEABLE;
> +
>   	switch (dr) {
>   	case 0 ... 3:
>   		*dest = kvm_x86_ops->get_dr(vcpu, dr);
> @@ -2797,6 +2800,9 @@ int emulator_set_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long value)
>   	unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U;
>   	int exception;
>
> +	if (!kvm_x86_ops->set_dr)
> +		return X86EMUL_UNHANDLEABLE;
> +
>   	kvm_x86_ops->set_dr(ctxt->vcpu, dr, value&  mask,&exception);
>   	if (exception) {
>   		/* FIXME: better handling */

Acked-by: Brad Figg <brad.figg at canonical.com>

-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com

More information about the kernel-team mailing list