[kernel] r16745 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/x86 patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Dec 29 18:31:22 UTC 2010
Author: dannf
Date: Wed Dec 29 18:31:18 2010
New Revision: 16745
Log:
KVM: VMX: fix vmx null pointer dereference on debug register access
(CVE-2010-0435)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Wed Dec 29 06:22:34 2010 (r16744)
+++ dists/lenny-security/linux-2.6/debian/changelog Wed Dec 29 18:31:18 2010 (r16745)
@@ -8,6 +8,8 @@
* bluetooth: Fix missing NULL check (CVE-2010-4242)
* posix-cpu-timers: workaround to suppress the problems with mt exec
(CVE-2010-4248)
+ * KVM: VMX: fix vmx null pointer dereference on debug register access
+ (CVE-2010-0435)
-- dann frazier <dannf at debian.org> Wed, 01 Dec 2010 20:32:11 -0700
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch Wed Dec 29 18:31:18 2010 (r16745)
@@ -0,0 +1,44 @@
+commit 370c6b5200b04645ab1b00bad931ae899cd55471
+Author: Gleb Natapov <gleb at redhat.com>
+Date: Wed Nov 10 12:08:12 2010 +0200
+
+ KVM: VMX: fix vmx null pointer dereference on debug register access
+
+ There is a bug in KVM that can be used to crash a host on Intel
+ machines. If emulator is tricked into emulating mov to/from DR instruction
+ it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
+ are not initialized. Recently this is not exploitable from guest
+ userspace, but malicious guest kernel can trigger it easily.
+
+ CVE-2010-0435
+
+ On upstream bug was fixed differently around 2.6.34.
+
+ Signed-off-by: Gleb Natapov <gleb at redhat.com>
+ Signed-off-by: Avi Kivity <avi at redhat.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+ [dannf: adjusted to apply to Debian's 2.6.26]
+
+diff -urpN a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+--- a/arch/x86/kvm/x86.c 2010-12-29 10:52:59.402636320 -0700
++++ b/arch/x86/kvm/x86.c 2010-12-29 11:26:30.646136793 -0700
+@@ -2113,6 +2113,9 @@ int emulator_get_dr(struct x86_emulate_c
+ {
+ struct kvm_vcpu *vcpu = ctxt->vcpu;
+
++ if (!kvm_x86_opts->get_dr)
++ return X86EMUL_UNHANDLEABLE;
++
+ switch (dr) {
+ case 0 ... 3:
+ *dest = kvm_x86_ops->get_dr(vcpu, dr);
+@@ -2128,6 +2131,9 @@ int emulator_set_dr(struct x86_emulate_c
+ unsigned long mask = (ctxt->mode == X86EMUL_MODE_PROT64) ? ~0ULL : ~0U;
+ int exception;
+
++ if (!kvm_x86_opts->set_dr)
++ return X86EMUL_UNHANDLEABLE;
++
+ kvm_x86_ops->set_dr(ctxt->vcpu, dr, value & mask, &exception);
+ if (exception) {
+ /* FIXME: better handling */
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Wed Dec 29 06:22:34 2010 (r16744)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2 Wed Dec 29 18:31:18 2010 (r16745)
@@ -3,3 +3,4 @@
+ bugfix/all/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
+ bugfix/all/bluetooth-fix-missing-NULL-check.patch
+ bugfix/all/posix-cpu-timers-workaround-to-suppress-the-problems-with-mt-exec.patch
++ bugfix/x86/kvm-vmx-fix-vmx-null-pointer-dereference-on-debug-register-access.patch
More information about the Kernel-svn-changes
mailing list