← Back to team overview

kernel-packages team mailing list archive

[Bug 1384539] Re: CVE-2014-3610

 

** Description changed:

- If the guest writes a noncanonical value to certain MSR registers, KVM
- will write that value to the MSR in the host context and a #GP will be
- raised leading to kernel panic. A privileged guest user can use this
- flaw to crash the host. Enabling CONFIG_PARAVIRT when building the
- kernel mitigates this issue because wrmsrl() ends up invoking safe msr
- write variant.
+ The WRMSR processing functionality in the KVM subsystem in the Linux
+ kernel through 3.17.2 does not properly handle the writing of a non-
+ canonical address to a model-specific register, which allows guest OS
+ users to cause a denial of service (host OS crash) by leveraging guest
+ OS privileges, related to the wrmsr_interception function in
+ arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c.
+ A privileged guest user can use this flaw to crash the host. Enabling
+ CONFIG_PARAVIRT when building the kernel mitigates this issue because
+ wrmsrl() ends up invoking safe msr write variant.
  
  Break-Fix: - 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1384539

Title:
  CVE-2014-3610

Status in “linux” package in Ubuntu:
  Fix Released
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
  New
Status in “linux-lts-backport-natty” package in Ubuntu:
  New
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  New
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  New
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
  New
Status in “linux-lts-backport-natty” source package in Lucid:
  New
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  New
Status in “linux-armadaxp” source package in Precise:
  New
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
  New
Status in “linux-lts-backport-natty” source package in Precise:
  New
Status in “linux-lts-quantal” source package in Precise:
  Fix Committed
Status in “linux-lts-raring” source package in Precise:
  Invalid
Status in “linux-lts-saucy” source package in Precise:
  Fix Committed
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  New
Status in “linux” source package in Trusty:
  Fix Released
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
  New
Status in “linux-lts-backport-natty” source package in Trusty:
  New
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid
Status in “linux” source package in Utopic:
  Fix Released
Status in “linux-armadaxp” source package in Utopic:
  Invalid
Status in “linux-ec2” source package in Utopic:
  Invalid
Status in “linux-fsl-imx51” source package in Utopic:
  Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
  New
Status in “linux-lts-backport-natty” source package in Utopic:
  New
Status in “linux-lts-quantal” source package in Utopic:
  Invalid
Status in “linux-lts-raring” source package in Utopic:
  Invalid
Status in “linux-lts-saucy” source package in Utopic:
  Invalid
Status in “linux-mvl-dove” source package in Utopic:
  Invalid
Status in “linux-ti-omap4” source package in Utopic:
  Invalid
Status in “linux” source package in Vivid:
  Fix Released
Status in “linux-armadaxp” source package in Vivid:
  Invalid
Status in “linux-ec2” source package in Vivid:
  Invalid
Status in “linux-fsl-imx51” source package in Vivid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Vivid:
  New
Status in “linux-lts-backport-natty” source package in Vivid:
  New
Status in “linux-lts-quantal” source package in Vivid:
  Invalid
Status in “linux-lts-raring” source package in Vivid:
  Invalid
Status in “linux-lts-saucy” source package in Vivid:
  Invalid
Status in “linux-mvl-dove” source package in Vivid:
  Invalid
Status in “linux-ti-omap4” source package in Vivid:
  Invalid

Bug description:
  The WRMSR processing functionality in the KVM subsystem in the Linux
  kernel through 3.17.2 does not properly handle the writing of a non-
  canonical address to a model-specific register, which allows guest OS
  users to cause a denial of service (host OS crash) by leveraging guest
  OS privileges, related to the wrmsr_interception function in
  arch/x86/kvm/svm.c and the handle_wrmsr function in
  arch/x86/kvm/vmx.c. A privileged guest user can use this flaw to crash
  the host. Enabling CONFIG_PARAVIRT when building the kernel mitigates
  this issue because wrmsrl() ends up invoking safe msr write variant.

  Break-Fix: - 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1384539/+subscriptions


References