Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jun 2009 14:54:08 +0800
From: Eugene Teo <>
CC: "Steven M. Christey" <>
Subject: CVE Request: kernel: kvm: failure to validate cr3 after KVM_SET_SREGS

"This applies to kvm-84 and earlier (and possibly to the in-kernel kvm
version too) on all x86 machines in all guest modes (32-bit, PAE, 64-bit).

Userspace callers of KVM_SET_SREGS can pass a bogus value of cr3 to the
kernel. This will trigger a NULL pointer access in gfn_to_rmap() when
userspace next tries to call KVM_RUN on the affected VCPU and kvm 
attempts to activate the new non-existent page table root.

This happens since kvm only validates that cr3 points to a valid guest
physical memory page when code *inside* the guest sets cr3. However, kvm
currently trusts the userspace caller (e.g. QEMU) on the host machine to
always supply a valid page table root, rather than properly validating 
it along with the rest of the reloaded guest state."

Upstream patch:


Thanks, Eugene

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ