oss-sec mailing list archives
CVE-2010-0730 xen: emulator instruction decoding inconsistency
From: Eugene Teo <eugene () redhat com>
Date: Fri, 07 May 2010 14:00:22 +0800
Assigned with CVE-2010-0730. It does not affect upstream. For more info, please see https://bugzilla.redhat.com/CVE-2010-0730.
Due to a mismatch between the opcode decoding table and the implementation of the operand decoder in platform.c, the ARPL instruction would cause the guest to crash if executed on a MMIO area. While this is difficult to exploit from non-root, it is theoretically possible to do so.
This fix changes the failure path to inject #UD instead of crashing the domain. The guest kernel will transform the #UD into a SIGILL.
--- arch/x86/hvm/platform.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --git a/arch/x86/hvm/platform.c b/arch/x86/hvm/platform.c index 3d69e9c..86c478d 100644 --- a/arch/x86/hvm/platform.c +++ b/arch/x86/hvm/platform.c @@ -1057,7 +1057,9 @@ void handle_mmio(unsigned long gpa) for ( i = 0; i < inst_len; i++ ) printk(" %02x", inst[i] & 0xFF); printk("\n"); - domain_crash_synchronous(); + + hvm_inject_exception(TRAP_invalid_op, -1, 0); + return; } regs->eip += inst_len; /* advance %eip */ -- 1.6.6.1 -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Current thread:
- CVE-2010-0730 xen: emulator instruction decoding inconsistency Eugene Teo (May 06)