Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308041 (CVE-2010-0298) - Kernel: Multiple KVM vulnerabilites (CVE-2010-{0298,0306,0309,0419})
Summary: Kernel: Multiple KVM vulnerabilites (CVE-2010-{0298,0306,0309,0419})
Status: RESOLVED INVALID
Alias: CVE-2010-0298
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-06 15:28 UTC by Stefan Behte (RETIRED)
Modified: 2012-02-27 22:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:28:31 UTC
CVE-2010-0298 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0298):
  The x86 emulator in KVM 83 does not use the Current Privilege Level
  (CPL) and I/O Privilege Level (IOPL) in determining the memory access
  available to CPL3 code, which allows guest OS users to cause a denial
  of service (guest OS crash) or gain privileges on the guest OS by
  leveraging access to a (1) IO port or (2) MMIO region, a related
  issue to CVE-2010-0306.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:47:28 UTC
CVE-2010-0306 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0306):
  The x86 emulator in KVM 83, when a guest is configured for Symmetric
  Multiprocessing (SMP), does not use the Current Privilege Level (CPL)
  and I/O Privilege Level (IOPL) to restrict instruction execution,
  which allows guest OS users to cause a denial of service (guest OS
  crash) or gain privileges on the guest OS by leveraging access to a
  (1) IO port or (2) MMIO region, and replacing an instruction in
  between emulator entry and instruction fetch, a related issue to
  CVE-2010-0298.

CVE-2010-0309 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0309):
  The pit_ioport_read function in the Programmable Interval Timer (PIT)
  emulation in i8254.c in KVM 83 does not properly use the pit_state
  data structure, which allows guest OS users to cause a denial of
  service (host OS crash or hang) by attempting to read the /dev/port
  file.

CVE-2010-0419 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0419):
  The x86 emulator in KVM 83, when a guest is configured for Symmetric
  Multiprocessing (SMP), does not properly restrict writing of segment
  selectors to segment registers, which might allow guest OS users to
  cause a denial of service (guest OS crash) or gain privileges on the
  guest OS by leveraging access to a (1) IO port or (2) MMIO region,
  and replacing an instruction in between emulator entry and
  instruction fetch.

Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2010-03-06 17:58:24 UTC
Gentoo doesn't have or support the kvm series, which went up to 88 before they switched to qemu-kvm. So none of these should affect anything wrt to qemu-kvm.

However the kernel flaw affects kvm-kmod and sys-kernel/*
Comment 3 Doug Goldstein (RETIRED) gentoo-dev 2010-06-15 17:34:04 UTC
Ping security... kvm-kmod isn't vulnerable any longer as the only versions affected are already gone
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:38:37 UTC
GLSA request filed.
Comment 5 Doug Goldstein (RETIRED) gentoo-dev 2011-05-27 23:21:14 UTC
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0435

The Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2, and KVM 83, when the Intel VT-x extension is enabled, allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via vectors related to instruction emulation.
Comment 6 Doug Goldstein (RETIRED) gentoo-dev 2011-05-27 23:22:59 UTC
I would say everyone should upgrade to app-emulation/kvm-kmod-2.6.32.27 or app-emulation/kvm-kmod-2.6.35 and newer. Same being said for kernel versions. That will make sure everyone's fixed from all these CVE's
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-05-28 17:22:09 UTC
(In reply to comment #5)
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0435
> 
> The Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization
> (RHEV) 2.2, and KVM 83, when the Intel VT-x extension is enabled, allows guest
> OS users to cause a denial of service (NULL pointer dereference and host OS
> crash) via vectors related to instruction emulation.

Hi, Doug. Please do not add new issues to existing bugs. This bug is largely done while we wait to publish a GLSA. CVE-2010-0435 looks to have been handled in Bug 335872.
Comment 8 Doug Goldstein (RETIRED) gentoo-dev 2011-05-31 18:33:19 UTC
Well this ticket has nothing to do with qemu-kvm. It only has issues with the kernel modules as I noted a year ago.

app-emulation/qemu-kvm was never vulnerable to these issues.
app-emulation/kvm which had these issues was never in the tree in the affected version.

So you're about to write a completely factually incorrect GLSA.

However, you did mix CVEs for two different products here. So you should really separate them into qemu-kvm/kvm and kernel since you again mixed CVEs in bug #335872.

To be clear, Gentoo did carry affected kernels BUT Gentoo did not carry affected userspace components.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-08-20 03:59:34 UTC
(In reply to comment #8)
> Well this ticket has nothing to do with qemu-kvm. It only has issues with the
> kernel modules as I noted a year ago.
> 
> app-emulation/qemu-kvm was never vulnerable to these issues.
> app-emulation/kvm which had these issues was never in the tree in the affected
> version.
> 
> So you're about to write a completely factually incorrect GLSA.
> 
> However, you did mix CVEs for two different products here. So you should really
> separate them into qemu-kvm/kvm and kernel since you again mixed CVEs in bug
> #335872.
> 
> To be clear, Gentoo did carry affected kernels BUT Gentoo did not carry
> affected userspace components.

Hi, Doug. Thank you for keeping us honest. Do I understand correctly that these four vulnerabilities, CVE-2010-{0298,0306,0309,0419}, really apply to app-emulation/kvm-kmod and *not* in any way to app-emulation/qemu-kvm?

You reference to bug 335872; does that bug list the correct packages?

Thanks again.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2012-02-27 21:54:35 UTC
This only affects the Kernel part. Closing INVALID.