oss-security - CVE request -- kernel: kvm: syscall instruction induced guest panic

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Wed, 11 Jan 2012 21:19:43 +0100
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request -- kernel: kvm: syscall instruction induced guest panic

"32bit guests will crash (and 64bit guests may behave in a
wrong way) for example by simply executing following
nasm-demo-application:

    [bits 32]
    global _start
    SECTION .text
    _start: syscall

The reason seems a missing "invalid opcode"-trap (int6) for the
syscall opcode "0f05", which is not available on Intel CPUs
within non-longmodes, as also on some AMD CPUs within legacy-mode.
(depending on CPU vendor, MSR_EFER and cpuid)

Because previous mentioned OSs may not engage corresponding
syscall target-registers (STAR, LSTAR, CSTAR), they remain
NULL and (non trapping) syscalls are leading to multiple
faults and finally crashs."

References:
https://bugzilla.redhat.com/show_bug.cgi?id=773370
https://lkml.org/lkml/2011/12/28/170
http://www.spinics.net/lists/kvm/msg66633.html

Proposed patch:
http://www.spinics.net/lists/kvm/msg66633.html

Credits:
Stephan Bärwolf

Introduced by:
e66bb2ccdcf76d032bbb464b35c292bb3ee58f9b in linux-2.6.32

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.