lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 26 Nov 2010 10:32:05 +0200
From:	Avi Kivity <avi@...hat.com>
To:	Ben Hutchings <ben@...adent.org.uk>
CC:	Marcelo Tosatti <mtosatti@...hat.com>,
	Greg Kroah-Hartman <gregkh@...e.de>, stable-review@...nel.org,
	LKML <linux-kernel@...r.kernel.org>
Subject: Re: [Stable-review] [22/45] KVM: Fix fs/gs reload oops with invalid
 ldt

On 11/26/2010 03:15 AM, Ben Hutchings wrote:
> Greg KH<gregkh@...e.de>  wrote:
> >  2.6.32-stable review patch.  If anyone has any objections, please let us know.
>
> Obviously it's a bit late now, but...
>
> >  ------------------
> >
> >  From: Avi Kivity<avi@...hat.com>
> >
> >  commit 9581d442b9058d3699b4be568b6e5eae38a41493 upstream
> >
> >  kvm reloads the host's fs and gs blindly, however the underlying segment
> >  descriptors may be invalid due to the user modifying the ldt after loading
> >  them.
> >
> >  Fix by using the safe accessors (loadsegment() and load_gs_index()) instead
> >  of home grown unsafe versions.
> >
> >  This is CVE-2010-3698.
> >
> >  Signed-off-by: Avi Kivity<avi@...hat.com>
> >  Signed-off-by: Marcelo Tosatti<mtosatti@...hat.com>
> >  Signed-off-by: Greg Kroah-Hartman<gregkh@...e.de>
> [...]
>
> Avi, you surely knew this commit was buggy (specifically for i386
> userland on an amd64 kernel) since you also committed:
>
> commit c8770e7ba63bb5dd8fe5f9d251275a8fa717fb78
> Author: Avi Kivity<avi@...hat.com>
> Date:   Thu Nov 11 12:37:26 2010 +0200
>
>      KVM: VMX: Fix host userspace gsbase corruption
>
> I realise it wasn't ready for stable as Linus only pulled it in
> 2.6.37-rc3, but surely that means this neither of the changes should
> have gone into 2.6.32.26.  Why didn't you respond to the review??
>

I don't actually read those review emails, there are too many of them.

The fix will go into 2.6.32.stable in time.  Fixing the vulnerability 
was more important than i386-on-x86_64 anyway.

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ