CVE-2010-0435

Priority
Description
The Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization
(RHEV) 2.2, and KVM 83, when the Intel VT-x extension is enabled, allows
guest OS users to cause a denial of service (NULL pointer dereference and
host OS crash) via vectors related to instruction emulation.
Ubuntu-Description
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
Notes
 kees> guest can crash host
 smb> Looking at the redhat bugzilla it says: "If emulator is tricked into
 smb> emulating mov to/from DR instruction it causes NULL pointer dereference
 smb> on VMX since kvm_x86_ops->(set|get)_dr are not initialized."
 smb> Now before v2.6.36-rc1 KVM has no ops->(set|get)_dr but calls the
 smb> function directly. So that Oops cannot happen.
 kees> but a fix was included for Lucid anyway?
 smb> It was by upstream. Now pulled that change back to Hardy and Karmic.
 smb> I believe the reference in the backport is pointing to upstream
 smb> commit 020df0794f5764e742feaa718be88b8f1b4ce04f which was part of
 smb> 2.6.35-rc1
Assigned-to
smb
Package
Source: linux (LP Ubuntu Debian)
Upstream:released (2.6.36~rc1)
Patches:
Upstream:54b8486f469475d6c8e8aec917b91239a54eb8c8
Package
Upstream:released (2.6.36~rc1)
Package
Upstream:released (2.6.36~rc1)
Package
Upstream:released (2.6.36~rc1)
Package
Upstream:released (2.6.36~rc1)
Package
Upstream:released (2.6.36~rc1)
Package
Upstream:released (2.6.36~rc1)
More Information

Updated: 2019-01-14 21:51:39 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)