Bug 628591 (CVE-2010-0435) - VUL-0: CVE-2010-0435: kernel: kvm host NULL deref
Summary: VUL-0: CVE-2010-0435: kernel: kvm host NULL deref
Status: RESOLVED FIXED
Alias: CVE-2010-0435
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Normal
Target Milestone: ---
Deadline: 2010-08-12
Assignee: Alexander Graf
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:11.3:37798
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-05 07:35 UTC by Thomas Biege
Modified: 2015-10-30 10:41 UTC (History)
4 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
the patch (9.58 KB, patch)
2010-08-10 14:42 UTC, Ludwig Nussel 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2010-08-05 07:35:25 UTC 
Hi.
There is a security bug in package 'kvm'.

This information is from 'vendor-sec'.

This bug is NOT PUBLIC.

The coordinated release date (CRD) is: 2010-08-12

More information can be found here:
	https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

CVE number: CVE-2010-0435
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0435

Original posting:


----------  Weitergeleitete Nachricht  ----------

Betreff: [vendor-sec] KVM flaw (CVE-2010-0435)
Datum: Mittwoch, 4. August 2010, 23:15:26
Von: Petr Matousek <pmatouse@redhat.com>
An:  "vendor-sec" <vendor-sec@lst.de>

Hello vendors,

we are going to make one KVM flaw that was found internally at Red Hat
public next week (2010-08-12). If anyone is interested in details, please
contact me off the list.

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec

-------------------------------------------------------------
-- 
 Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Comment 4 Ludwig Nussel 2010-08-10 14:40:26 UTC 
[CVE-2010-0435]
Gleb Napatov found a bug in KVM that can be used to crash the host on Intel
machines. If emulator is tricked into emulating mov to/from DR instruction it
causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr are not
initialized. Recently this is not exploitable from guest userspace, but
malicious guest kernel can trigger it easily.
Comment 5 Ludwig Nussel 2010-08-10 14:42:10 UTC 
Created attachment 381953 [details]
the patch
Comment 6 Ludwig Nussel 2010-08-10 14:47:03 UTC 
actually affects the kvm kernel module
Comment 7 Jeff Mahoney 2010-11-09 14:49:15 UTC 
Why was this bounced back to kernel-maintainers without comment? Has it already been fixed in releases with a separate KVM KMP?
Comment 8 Thomas Biege 2010-11-09 15:24:37 UTC 
I do not think so but I am happy to see a reaction.


CVE-2010-0435: CVSS v2 Base Score: 4.6 (MEDIUM) (AV:L/AC:L/Au:S/C:N/I:N/A:C): Other (CWE-Other)
Comment 9 Alexander Graf 2010-11-09 15:41:29 UTC 
Looking through the 2.6.32 stable branch, I don't see this fixed. I'll poke the folks upstream.
Comment 10 Jeff Mahoney 2010-11-09 17:47:08 UTC 
The patch applies mostly cleanly to openSUSE 11.3. Alex, can you look at the other releases?
Comment 11 Alexander Graf 2010-11-09 21:40:46 UTC 
Yeah, I really want this to get fixed upstream though. Still working on it.
Comment 12 Alexander Graf 2010-12-02 13:45:21 UTC 
A patch to fix this should be in -stable by now, but isn't. Checking up with the maintainers again...
Comment 13 Alexander Graf 2010-12-08 11:14:36 UTC 
It's queued for 2.6.32.27.
Comment 14 Swamp Workflow Management 2011-01-03 08:32:17 UTC 
Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-base-debuginfo, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-extra-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi, kernel-vmi-base, kernel-vmi-base-debuginfo, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-devel, kernel-vmi-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop
Products:
openSUSE 11.3 (debug, i586, x86_64)
Comment 15 Thomas Biege 2011-02-25 10:10:02 UTC 
Alexander,
this only affects 11.3? If so, then close this bug please. Thanks.

(Maybe it was already part of MaintenanceTracker-38373.)
Comment 16 Alexander Graf 2011-03-11 14:16:22 UTC 
Yes, for the others things should have gone through stable.