| 1 |
Candidate: CVE-2009-3290
|
| 2 |
Description:
|
| 3 |
"So far unprivileged guest callers running in ring 3 can issue, e.g.,
|
| 4 |
MMU hypercalls. Normally, such callers cannot provide any hand-crafted
|
| 5 |
MMU command structure as it has to be passed by its physical address,
|
| 6 |
but they can still crash the guest kernel by passing random addresses.
|
| 7 |
.
|
| 8 |
To close the hole, this patch considers hypercalls valid only if issued
|
| 9 |
from guest ring 0. This may still be relaxed on a per-hypercall base in
|
| 10 |
the future once required."
|
| 11 |
.
|
| 12 |
This was introduced in v2.6.25-rc1, and fixed in 2.6.31
|
| 13 |
jmm> The oss-security posting is wrong, this was fixed in 2.6.31-1
|
| 14 |
References:
|
| 15 |
http://www.openwall.com/lists/oss-security/2009/09/18/1
|
| 16 |
http://patchwork.kernel.org/patch/38926/
|
| 17 |
https://bugzilla.redhat.com/show_bug.cgi?id=524124
|
| 18 |
Ubuntu-Description:
|
| 19 |
Notes:
|
| 20 |
brad spengler has already developed working exploit code for this, so this is
|
| 21 |
high-urgency
|
| 22 |
Bugs:
|
| 23 |
upstream: released (2.6.32-rc1) [07708c4af1346ab1521b26a202f438366b7bcffd]
|
| 24 |
linux-2.6: released (2.6.31-1)
|
| 25 |
2.6.18-etch-security: N/A "introduced in 2.6.25"
|
| 26 |
2.6.24-etch-security: N/A "introduced in 2.6.25"
|
| 27 |
2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/x86/kvm-disallow-hypercalls-for-guest-callers-in-rings-gt-0.patch]
|
Parent Directory
| 
Revision Log