Bug 549487 (CVE-2009-3640) - VUL-0: CVE-2009-3640: kvm: update_cr8_intercept() NULL pointer dereference
Summary: VUL-0: CVE-2009-3640: kvm: update_cr8_intercept() NULL pointer dereference
Status: RESOLVED FIXED
Alias: CVE-2009-3640
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Major
Target Milestone: ---
Deadline: 2009-11-09
Assignee: Bruce Rogers
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:11.1:28758 maint:relea...
Keywords:
Depends on:
Blocks: 547624
  Show dependency treegraph
 
Reported: 2009-10-23 08:30 UTC by Ludwig Nussel
Modified: 2017-07-03 07:34 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2009-10-23 08:30:36 UTC 
Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

Date: Fri, 23 Oct 2009 11:47:00 +0800
From: Eugene Teo <eugeneteo@kernel.sg>
To: oss-security@lists.openwall.com
Subject: [oss-security] CVE request: kvm: update_cr8_intercept() NULL pointer dereference
 when running without an apic
CC: "Steven M. Christey" <coley@linus.mitre.org>

Quote from the upstream commit:
"update_cr8_intercept() can be triggered from userspace while there
is no apic present."

http://git.kernel.org/linus/88c808fd42b53a7e01a2ac3253ef31fef74cb5af

This one can be triggered via kvm_vcpu_ioctl() if /dev/kvm is user 
accessible (which is recommended...). Fixed in v2.6.32-rc1.

Eugene
Comment 1 Ludwig Nussel 2009-10-26 13:43:12 UTC 
CVE-2009-3640
Comment 2 Alexander Graf 2009-10-26 14:18:13 UTC 
Luckily this doesn't apply to our SLE11 version of kvm-kmp.

On 11.1 we'll use the SLE11 version as soon as Studio OnSite is released, so nothing to worry about here either.
Comment 3 Ludwig Nussel 2009-10-29 08:59:17 UTC 
what does that mean? How are you going to use the sle11 version on 11.1? Someone needs to submit packages to make that happen.
Comment 4 Alexander Graf 2009-10-29 10:14:05 UTC 
Yes, I'm still submitting the packages. You just don't need to care about the patchinfo stuff, as that's handled by bug 547624.

If you like we can also turn things around, so you'll submit the patchinfo for 11.1 (kvm _and_ kvm-kmp).
Comment 5 Ludwig Nussel 2009-10-29 10:28:13 UTC 
hmm, I wonder why I didn't notice the open maintenance workflow. Anyways, it's both a feature update and a security update (there are five kvm security bugs currently). I think we should have separate patchinfos for the affected packages and mark the kvm ones as security. I don't mind if it's released as part of the studio onsite update.
Comment 10 Thomas Biege 2009-11-04 13:47:01 UTC 
CVE-2009-3640: CVSS v2 Base Score: 2.1 (LOW) (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Comment 11 Bruce Rogers 2009-11-04 21:33:28 UTC 
Fix provided in submitpack of kvm-kmp package for SLE11.
Comment 12 Bruce Rogers 2009-11-13 04:01:23 UTC 
Fixes submitted to OpenSUSE 11.0, 11.1 and SLE-11 - also attached to SWAMPID 28124. OpenSUSE 11.2 is unaffected.
Comment 13 Swamp Workflow Management 2009-11-20 11:37:09 UTC 
Update released for: kvm, kvm-kmp-default, kvm-kmp-pae, kvm-kmp-trace
Products:
openSUSE 11.0 (debug, i386, x86_64)
Comment 14 Swamp Workflow Management 2009-11-20 11:37:10 UTC 
Update released for: kvm, kvm-debuginfo, kvm-debugsource, kvm-kmp-default, kvm-kmp-pae, kvm-kmp-trace
Products:
openSUSE 11.1 (debug, i586, x86_64)
Comment 15 Thomas Biege 2009-11-20 12:16:59 UTC 
released
Comment 16 Swamp Workflow Management 2009-11-20 23:08:57 UTC 
Update released for: kvm, kvm-debuginfo, kvm-debugsource, kvm-kmp-default, kvm-kmp-pae
Products:
SLE-DEBUGINFO 11 (i386, ia64, x86_64)
SLE-DESKTOP 11 (i386, x86_64)
SLE-SERVER 11 (i386, ia64, x86_64)