linux kernel 2.6.25.15 kvm integer overflow kvm_dev_ioctl_get_supported_cpuid()

2009.11.02
Credit: Eugene Teoleugeneteo
Risk: High
Local: Yes
Remote: No
CVE: CVE-2009-3638
CWE: CWE-189


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Quote from the upstream commit: "The number of entries is multiplied by the entry size, which can overflow on 32-bit hosts. Bound the entry count instead." if (cpuid->nent < 1) goto out; + if (cpuid->nent > KVM_MAX_CPUID_ENTRIES) + cpuid->nent = KVM_MAX_CPUID_ENTRIES; r = -ENOMEM; cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent); if (!cpuid_entries) This one can be triggered if /dev/kvm is user accessible (which is recommended...). This was introduced in v2.6.25-rc1, and fixed in v2.6.32-rc4. Only on 32-bit host. References: http://git.kernel.org/linus/0771671749b59a507b6da4efb931c44d9691e248 http://git.kernel.org/linus/6a54435560efdab1a08f429a954df4d6c740bddf https://bugzilla.redhat.com/show_bug.cgi?id=530515

References:

https://bugzilla.redhat.com/show_bug.cgi?id=530515
http://xforce.iss.net/xforce/xfdb/53934
http://www.securityfocus.com/bid/36803
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc4
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31.4
http://marc.info/?l=oss-security&m=125632898507373&w=2
http://marc.info/?l=oss-security&m=125628917011048&w=2
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6a54435560efdab1a08f429a954df4d6c740bddf


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top