CVE-2010-0435
Published: 24 August 2010
The Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2, and KVM 83, when the Intel VT-x extension is enabled, allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via vectors related to instruction emulation.
From the Ubuntu Security Team
Gleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service.
Notes
Author | Note |
---|---|
kees | guest can crash host |
smb | Looking at the redhat bugzilla it says: "If emulator is tricked into emulating mov to/from DR instruction it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr are not initialized." Now before v2.6.36-rc1 KVM has no ops->(set|get)_dr but calls the function directly. So that Oops cannot happen. |
kees | but a fix was included for Lucid anyway? |
smb | It was by upstream. Now pulled that change back to Hardy and Karmic. I believe the reference in the backport is pointing to upstream commit 020df0794f5764e742feaa718be88b8f1b4ce04f which was part of 2.6.35-rc1 |
Priority
Status
Package | Release | Status |
---|---|---|
linux Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Released
(2.6.24-28.86)
|
|
jaunty |
Ignored
(EOL)
|
|
karmic |
Released
(2.6.31-22.73)
|
|
lucid |
Released
(2.6.32-28.55)
|
|
maverick |
Not vulnerable
|
|
upstream |
Released
(2.6.36~rc1)
|
|
linux-ec2 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Not vulnerable
|
|
lucid |
Released
(2.6.32-312.24)
|
|
maverick |
Ignored
(binary supplied by "linux" now)
|
|
upstream |
Released
(2.6.36~rc1)
|
|
linux-fsl-imx51 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
karmic |
Released
(2.6.31-112.30)
|
|
lucid |
Not vulnerable
|
|
maverick |
Does not exist
|
|
upstream |
Released
(2.6.36~rc1)
|
|
linux-lts-backport-maverick Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Does not exist
|
|
lucid |
Not vulnerable
|
|
maverick |
Does not exist
|
|
upstream |
Released
(2.6.36~rc1)
|
|
linux-mvl-dove Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
karmic |
Ignored
(abandonded branch)
|
|
lucid |
Not vulnerable
|
|
maverick |
Not vulnerable
|
|
upstream |
Released
(2.6.36~rc1)
|
|
linux-source-2.6.15 Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
|
hardy |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
maverick |
Does not exist
|
|
upstream |
Released
(2.6.36~rc1)
|
|
linux-ti-omap4 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
hardy |
Does not exist
|
|
karmic |
Does not exist
|
|
lucid |
Does not exist
|
|
maverick |
Not vulnerable
|
|
upstream |
Released
(2.6.36~rc1)
|