Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 07 May 2010 14:00:22 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: coley@...us.mitre.org
Subject: CVE-2010-0730 xen: emulator instruction decoding inconsistency

Assigned with CVE-2010-0730. It does not affect upstream. For more info, 
please see https://bugzilla.redhat.com/CVE-2010-0730.

Due to a mismatch between the opcode decoding table and the 
implementation of the operand decoder in platform.c, the ARPL 
instruction would cause the guest to crash if executed on a MMIO area. 
While this is difficult to exploit from non-root, it is theoretically 
possible to do so.

This fix changes the failure path to inject #UD instead of crashing the 
domain. The guest kernel will transform the #UD into a SIGILL.
---
  arch/x86/hvm/platform.c |    4 +++-
  1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/arch/x86/hvm/platform.c b/arch/x86/hvm/platform.c
index 3d69e9c..86c478d 100644
--- a/arch/x86/hvm/platform.c
+++ b/arch/x86/hvm/platform.c
@@ -1057,7 +1057,9 @@ void handle_mmio(unsigned long gpa)
          for ( i = 0; i < inst_len; i++ )
              printk(" %02x", inst[i] & 0xFF);
          printk("\n");
-        domain_crash_synchronous();
+
+	hvm_inject_exception(TRAP_invalid_op, -1, 0);
+	return;
      }

      regs->eip += inst_len; /* advance %eip */
-- 
1.6.6.1

-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ