lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 26 Nov 2010 01:15:30 +0000
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Avi Kivity <avi@...hat.com>
Cc:	Marcelo Tosatti <mtosatti@...hat.com>,
	Greg Kroah-Hartman <gregkh@...e.de>, stable-review@...nel.org,
	LKML <linux-kernel@...r.kernel.org>
Subject: Re: [Stable-review] [22/45] KVM: Fix fs/gs reload oops with
 invalid ldt

Greg KH <gregkh@...e.de> wrote:
> 2.6.32-stable review patch.  If anyone has any objections, please let us know.

Obviously it's a bit late now, but...

> ------------------
> 
> From: Avi Kivity <avi@...hat.com>
> 
> commit 9581d442b9058d3699b4be568b6e5eae38a41493 upstream
>
> kvm reloads the host's fs and gs blindly, however the underlying segment
> descriptors may be invalid due to the user modifying the ldt after loading
> them.
> 
> Fix by using the safe accessors (loadsegment() and load_gs_index()) instead
> of home grown unsafe versions.
> 
> This is CVE-2010-3698.
> 
> Signed-off-by: Avi Kivity <avi@...hat.com>
> Signed-off-by: Marcelo Tosatti <mtosatti@...hat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
[...]

Avi, you surely knew this commit was buggy (specifically for i386
userland on an amd64 kernel) since you also committed:

commit c8770e7ba63bb5dd8fe5f9d251275a8fa717fb78
Author: Avi Kivity <avi@...hat.com>
Date:   Thu Nov 11 12:37:26 2010 +0200

    KVM: VMX: Fix host userspace gsbase corruption

I realise it wasn't ready for stable as Linus only pulled it in
2.6.37-rc3, but surely that means this neither of the changes should
have gone into 2.6.32.26.  Why didn't you respond to the review??

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ