[Hardy, Karmic] CVE-2010-0435

Stefan Bader stefan.bader at canonical.com
Thu Feb 3 17:19:54 UTC 2011 

Same patch applies to both. Dapper does not have KVM and Lucid was
fixed by an upstream stable update already. Maverick and Natty should
be fixed according to comment.

-Stefan

>From 370c6b5200b04645ab1b00bad931ae899cd55471 Mon Sep 17 00:00:00 2001
From: Gleb Natapov <gleb at redhat.com>
Date: Wed, 10 Nov 2010 12:08:12 +0200
Subject: [PATCH] KVM: VMX: fix vmx null pointer dereference on debug register access

CVE-2010-0435
BugLink: http://bugs.launchpad.net/bugs/712615

There is a bug in KVM that can be used to crash a host on Intel
machines. If emulator is tricked into emulating mov to/from DR instruction
it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
are not initialized. Recently this is not exploitable from guest
userspace, but malicious guest kernel can trigger it easily.

On upstream bug was fixed differently around 2.6.34.

Signed-off-by: Gleb Natapov <gleb at redhat.com>
Signed-off-by: Avi Kivity <avi at redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
(cherry-picked from commit 370c6b5200b04645ab1b00bad931ae899cd55471 2.6.32.y)
Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
---
 arch/x86/kvm/x86.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 724a6ad..0990f0a 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2782,6 +2782,9 @@ int emulator_get_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long *dest)
 {
 	struct kvm_vcpu *vcpu = ctxt->vcpu;
 
+	if (!kvm_x86_ops->get_dr)
+		return X86EMUL_UNHANDLEABLE;
+
 	switch (dr) {
 	case 0 ... 3:
 		*dest = kvm_x86_ops->get_dr(vcpu, dr);
@@ -2797,6 +2800,9 @@ int emulator_set_dr(struct x86_emulate_ctxt *ctxt, int dr, unsigned long value)
 	unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U;
 	int exception;
 
+	if (!kvm_x86_ops->set_dr)
+		return X86EMUL_UNHANDLEABLE;
+
 	kvm_x86_ops->set_dr(ctxt->vcpu, dr, value & mask, &exception);
 	if (exception) {
 		/* FIXME: better handling */
-- 
1.7.0.4

More information about the kernel-team mailing list