Your submission was sent successfully! Close

CVE-2010-0435

Published: 24 August 2010

The Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2, and KVM 83, when the Intel VT-x extension is enabled, allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via vectors related to instruction emulation.

From the Ubuntu security team

Gleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service.

Priority

Medium

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy
Released (2.6.24-28.86)
jaunty Ignored
(EOL)
karmic
Released (2.6.31-22.73)
lucid
Released (2.6.32-28.55)
maverick Not vulnerable

upstream
Released (2.6.36~rc1)
linux-ec2
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

jaunty Does not exist

karmic Not vulnerable

lucid
Released (2.6.32-312.24)
maverick Ignored
(binary supplied by "linux" now)
upstream
Released (2.6.36~rc1)
linux-fsl-imx51
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

karmic
Released (2.6.31-112.30)
lucid Not vulnerable

maverick Does not exist

upstream
Released (2.6.36~rc1)
linux-lts-backport-maverick
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Not vulnerable

maverick Does not exist

upstream
Released (2.6.36~rc1)
linux-mvl-dove
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

karmic Ignored
(abandonded branch)
lucid Not vulnerable

maverick Not vulnerable

upstream
Released (2.6.36~rc1)
linux-source-2.6.15
Launchpad, Ubuntu, Debian
dapper Not vulnerable

hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

maverick Does not exist

upstream
Released (2.6.36~rc1)
linux-ti-omap4
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Does not exist

karmic Does not exist

lucid Does not exist

maverick Not vulnerable

upstream
Released (2.6.36~rc1)

Notes

AuthorNote
kees
guest can crash host
smb
Looking at the redhat bugzilla it says: "If emulator is tricked into
emulating mov to/from DR instruction it causes NULL pointer dereference
on VMX since kvm_x86_ops->(set|get)_dr are not initialized."
Now before v2.6.36-rc1 KVM has no ops->(set|get)_dr but calls the
function directly. So that Oops cannot happen.
kees
but a fix was included for Lucid anyway?
smb
It was by upstream. Now pulled that change back to Hardy and Karmic.
I believe the reference in the backport is pointing to upstream
commit 020df0794f5764e742feaa718be88b8f1b4ce04f which was part of
2.6.35-rc1

References