Ubuntu
kvm package

CVE 2009-2287: does not validate the page table root in a KVM_SET_SREGS call

Bug #406584 reported by Dustin Kirkland 
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kvm (Ubuntu)
Fix Released
Medium
Unassigned
Hardy
Fix Released
Medium
Unassigned
Intrepid
Won't Fix
Medium
Unassigned
Jaunty
Won't Fix
Medium
Unassigned
Karmic
Fix Released
Medium
Unassigned

Bug Description

The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2287

This bug was fixed in the upstream Linux kernel in 2.6.30, and this has been applied to all of the Ubuntu linux kernels.

The kvm package also provides kvm-source, which contains the source for the kvm kernel module. This is built using DKMS in intrepid, jaunty, and karmic. In hardy, the package simply provides a tarball. There is no automatic building mechanism.

:-Dustin

See original description

Related branches

lp:ubuntu/karmic/kvm

CVE References

Dustin Kirkland  (kirkland)
Changed in kvm (Ubuntu Hardy):
status: New → In Progress
Changed in kvm (Ubuntu Intrepid):
status: New → In Progress
Changed in kvm (Ubuntu Jaunty):
status: New → In Progress
Changed in kvm (Ubuntu Karmic):
status: New → In Progress
Changed in kvm (Ubuntu Hardy):
importance: Undecided → Medium
Changed in kvm (Ubuntu Jaunty):
importance: Undecided → Medium
Changed in kvm (Ubuntu Intrepid):
importance: Undecided → Medium
Changed in kvm (Ubuntu Karmic):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kvm - 1:84+dfsg-0ubuntu16

---------------
kvm (1:84+dfsg-0ubuntu16) karmic; urgency=low

  * debian/patches/CVE-2009-2287.patch:
  * SECURITY UPDATE: Users could cause a NULL pointer exception
    by passing a bogus value of cr3 (LP: #406584).
   - debian/patches/CVE-2009-2287.patch:
   - http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=59839dfff5eabca01cc4e20b45797a60a80af8cb
   - CVE-2009-2287

 -- Dustin Kirkland <email address hidden> Wed, 29 Jul 2009 15:00:32 -0500

Changed in kvm (Ubuntu Karmic):
status: In Progress → Fix Released
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Attaching debdiff for hardy.

:-Dustin

description: updated
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Attaching debdiff for intrepid.

:-Dustin

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Attaching debdiff for jaunty.

:-Dustin

Revision history for this message
Chuck Short (zulcss) wrote :

Closing this SRU request based on the fact that Intrepid has reached EOL.

chuck

Changed in kvm (Ubuntu Intrepid):
status: In Progress → Won't Fix
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Jaunty reached end-of-life on 23 October 2010, so this bug will not be fixed in that version of Ubuntu. It has been fixed in newer versions.

Changed in kvm (Ubuntu Jaunty):
status: In Progress → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in http://www.ubuntu.com/usn/usn-807-1.

Changed in kvm (Ubuntu Hardy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.