Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2010-0435

Publication date 24 August 2010

Last updated 24 July 2024


Ubuntu priority

The Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2, and KVM 83, when the Intel VT-x extension is enabled, allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via vectors related to instruction emulation.

From the Ubuntu Security Team

Gleb Napatov discovered that KVM did not correctly check certain privileged operations. A local attacker with access to a guest kernel could exploit this to crash the host system, leading to a denial of service.

Read the notes from the security team

Status

Package Ubuntu Release Status
linux 10.10 maverick
Not affected
10.04 LTS lucid
Fixed 2.6.32-28.55
9.10 karmic
Fixed 2.6.31-22.73
9.04 jaunty Ignored end of life
8.04 LTS hardy
Fixed 2.6.24-28.86
6.06 LTS dapper Not in release
linux-ec2 10.10 maverick Ignored end of life
10.04 LTS lucid
Fixed 2.6.32-312.24
9.10 karmic
Not affected
9.04 jaunty Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release
linux-fsl-imx51 10.10 maverick Not in release
10.04 LTS lucid
Not affected
9.10 karmic
Fixed 2.6.31-112.30
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release
linux-lts-backport-maverick 10.10 maverick Not in release
10.04 LTS lucid
Not affected
9.10 karmic Not in release
9.04 jaunty Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release
linux-mvl-dove 10.10 maverick
Not affected
10.04 LTS lucid
Not affected
9.10 karmic Ignored end of life
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release
linux-source-2.6.15 10.10 maverick Not in release
10.04 LTS lucid Not in release
9.10 karmic Not in release
9.04 jaunty Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper
Not affected
linux-ti-omap4 10.10 maverick
Not affected
10.04 LTS lucid Not in release
9.10 karmic Not in release
8.04 LTS hardy Not in release
6.06 LTS dapper Not in release

Notes


kees

guest can crash host


smb

Looking at the redhat bugzilla it says: "If emulator is tricked into emulating mov to/from DR instruction it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr are not initialized." Now before v2.6.36-rc1 KVM has no ops->(set|get)_dr but calls the function directly. So that Oops cannot happen.


kees

but a fix was included for Lucid anyway?


smb

It was by upstream. Now pulled that change back to Hardy and Karmic. I believe the reference in the backport is pointing to upstream commit 020df0794f5764e742feaa718be88b8f1b4ce04f which was part of 2.6.35-rc1

References

Related Ubuntu Security Notices (USN)

    • USN-1073-1
    • Linux kernel vulnerabilities
    • 25 February 2011
    • USN-1072-1
    • Linux kernel vulnerabilities
    • 25 February 2011
    • USN-1083-1
    • Linux kernel vulnerabilities
    • 3 March 2011
    • USN-1054-1
    • Linux kernel vulnerabilities
    • 1 February 2011

Other references