CVE-2010-0435

Published: 24 August 2010

The Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2, and KVM 83, when the Intel VT-x extension is enabled, allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via vectors related to instruction emulation.

From the Ubuntu security team

Gleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service.

Priority

Medium

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
Patches:
upstream: 54b8486f469475d6c8e8aec917b91239a54eb8c8
linux-ec2
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
linux-fsl-imx51
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
linux-lts-backport-maverick
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
linux-mvl-dove
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
linux-source-2.6.15
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)
linux-ti-omap4
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.36~rc1)

Notes

AuthorNote
kees guest can crash host
smb Looking at the redhat bugzilla it says: "If emulator is tricked into emulating mov to/from DR instruction it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr are not initialized." Now before v2.6.36-rc1 KVM has no ops->(set|get)_dr but calls the function directly. So that Oops cannot happen.
kees but a fix was included for Lucid anyway?
smb It was by upstream. Now pulled that change back to Hardy and Karmic. I believe the reference in the backport is pointing to upstream commit 020df0794f5764e742feaa718be88b8f1b4ce04f which was part of 2.6.35-rc1

References