Bug#548975: marked as done (kvm-source: allows MMU hypercalls from ring > 0)

Debian Bug Tracking System Mon, 12 Oct 2009 03:41:32 -0700

Your message dated Mon, 12 Oct 2009 10:19:50 +0000
with message-id <e1mxi0m-0006yg...@ries.debian.org>
and subject line Bug#548975: fixed in kvm 85+dfsg-4.1
has caused the Debian Bug report #548975,
regarding kvm-source: allows MMU hypercalls from ring > 0
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
548975: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=548975
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: kvm-source
Version: 85+dfsg-4
Severity: critical
Tags: patch security
Justification: potential privilege escalation

Upstream patch:
  
http://git.kernel.org/?p=virt/kvm/kvm.git;a=commitdiff;h=07708c4af1346ab1521b26a202f438366b7bcffd

Please mention CVE-2009-3290 in your changelog.

diff -urpN kvm-85+dfsg.orig/debian/patches/CVE-2009-3290.patch 
kvm-85+dfsg/debian/patches/CVE-2009-3290.patch
--- kvm-85+dfsg.orig/debian/patches/CVE-2009-3290.patch 1969-12-31 
17:00:00.000000000 -0700
+++ kvm-85+dfsg/debian/patches/CVE-2009-3290.patch      2009-09-29 
17:05:38.000000000 -0600
@@ -0,0 +1,34 @@
+diff -urpN kvm-85+dfsg.orig/kernel/include/linux/kvm_para.h 
kvm-85+dfsg/kernel/include/linux/kvm_para.h
+--- kvm-85+dfsg.orig/kernel/include/linux/kvm_para.h   2009-04-21 
04:04:03.000000000 -0600
++++ kvm-85+dfsg/kernel/include/linux/kvm_para.h        2009-09-29 
17:04:54.000000000 -0600
+@@ -53,6 +53,7 @@
+ #define KVM_ENOSYS            1000
+ #define KVM_EFAULT            EFAULT
+ #define KVM_E2BIG             E2BIG
++#define KVM_EPERM             EPERM
+ 
+ #define KVM_HC_VAPIC_POLL_IRQ         1
+ #define KVM_HC_MMU_OP                 2
+diff -urpN kvm-85+dfsg.orig/kernel/x86/x86.c kvm-85+dfsg/kernel/x86/x86.c
+--- kvm-85+dfsg.orig/kernel/x86/x86.c  2009-04-21 04:04:13.000000000 -0600
++++ kvm-85+dfsg/kernel/x86/x86.c       2009-09-29 17:05:01.000000000 -0600
+@@ -2873,6 +2873,11 @@ int kvm_emulate_hypercall(struct kvm_vcp
+               a3 &= 0xFFFFFFFF;
+       }
+ 
++      if (kvm_x86_ops->get_cpl(vcpu) != 0) {
++              ret = -KVM_EPERM;
++              goto out;
++      }
++
+       switch (nr) {
+       case KVM_HC_VAPIC_POLL_IRQ:
+               ret = 0;
+@@ -2884,6 +2889,7 @@ int kvm_emulate_hypercall(struct kvm_vcp
+               ret = -KVM_ENOSYS;
+               break;
+       }
++out:
+       kvm_register_write(vcpu, VCPU_REGS_RAX, ret);
+       ++vcpu->stat.hypercalls;
+       return r;
diff -urpN kvm-85+dfsg.orig/debian/patches/series 
kvm-85+dfsg/debian/patches/series
--- kvm-85+dfsg.orig/debian/patches/series      2009-09-29 17:04:12.000000000 
-0600
+++ kvm-85+dfsg/debian/patches/series   2009-09-29 17:05:53.000000000 -0600
@@ -8,3 +8,4 @@ from-debian-qemu/62_linux_boot_nasm.patc
 security/leftover.patch
 qemu-ifup_head.patch
 readd_drive_boot_parameter_help.patch
+CVE-2009-3290.patch

--- End Message ---

--- Begin Message ---

Source: kvm
Source-Version: 85+dfsg-4.1

We believe that the bug you reported is fixed in the latest version of
kvm, which is due to be installed in the Debian FTP archive:

kvm-dbg_85+dfsg-4.1_i386.deb
  to pool/main/k/kvm/kvm-dbg_85+dfsg-4.1_i386.deb
kvm-source_85+dfsg-4.1_all.deb
  to pool/main/k/kvm/kvm-source_85+dfsg-4.1_all.deb
kvm_85+dfsg-4.1.diff.gz
  to pool/main/k/kvm/kvm_85+dfsg-4.1.diff.gz
kvm_85+dfsg-4.1.dsc
  to pool/main/k/kvm/kvm_85+dfsg-4.1.dsc
kvm_85+dfsg-4.1_i386.deb
  to pool/main/k/kvm/kvm_85+dfsg-4.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 548...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated kvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 09 Oct 2009 19:07:06 +0200
Source: kvm
Binary: kvm kvm-source kvm-dbg
Architecture: source all i386
Version: 85+dfsg-4.1
Distribution: unstable
Urgency: high
Maintainer: Jan Lübbe <jlue...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description: 
 kvm        - Full virtualization on x86 hardware
 kvm-dbg    - Debugging info for kvm
 kvm-source - Source for the KVM driver
Closes: 548975
Changes: 
 kvm (85+dfsg-4.1) unstable; urgency=high
 .
   * Non-maintainer upload by the testing Security Team.
   * Considers hypercalls valid only if issued from guest ring 0 (CVE-2009-3290)
     Thanks to Dann Frazier (Closes: 548975)
Checksums-Sha1: 
 ea5ef1a8b632b3fb59313688199eb662d34ff642 1459 kvm_85+dfsg-4.1.dsc
 6e2cd5f81f7ccbc5d7d1fb30f3f79e5e82b09bff 46194 kvm_85+dfsg-4.1.diff.gz
 90efa2ec78afa3f47749914280cad7d9570d4c62 286302 kvm-source_85+dfsg-4.1_all.deb
 d495674f3a1f02bf0672a5a7e65033d5a382898c 1254516 kvm_85+dfsg-4.1_i386.deb
 d801a3dd2b961f485a0cc26fac78816778f5ab60 76196 kvm-dbg_85+dfsg-4.1_i386.deb
Checksums-Sha256: 
 57a9658a347e5e0a66cd4127033e85cd5d00c4e00816793dba3907e1cb8f8c64 1459 
kvm_85+dfsg-4.1.dsc
 83032ec30f40664a44155c0e08bac1d733528a0e1ff1b7779291daeeb3b511fb 46194 
kvm_85+dfsg-4.1.diff.gz
 138cd1896e31dcb93a7497182de12ecf6583c118633d0d47c096228678dec280 286302 
kvm-source_85+dfsg-4.1_all.deb
 798b963f2544ae435367b3e9f319a9b1946038f8799aea386dab713f1bdd42c9 1254516 
kvm_85+dfsg-4.1_i386.deb
 88e8f315a44381e234c06d021d936c58872d98cc4723f4cd96cc91f1b9b9540c 76196 
kvm-dbg_85+dfsg-4.1_i386.deb
Files: 
 7a9ce51e244d32bc51bf975a8ffeb53b 1459 misc optional kvm_85+dfsg-4.1.dsc
 7ea6f9fc9b6aed2f4dd31a7dcc473685 46194 misc optional kvm_85+dfsg-4.1.diff.gz
 9cf378fb2fb24c424b81f5c9676070d6 286302 kernel optional 
kvm-source_85+dfsg-4.1_all.deb
 f0ef317627ee03af098698369e22bba8 1254516 misc optional kvm_85+dfsg-4.1_i386.deb
 e943f69b618e72fced5cb5c6e9b38856 76196 debug extra kvm-dbg_85+dfsg-4.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEUEARECAAYFAkrQW/IACgkQNxpp46476aqN5ACfcaGT6TYbsq2GiEZO2UbZDkS9
d8kAkwe4MZ7TKGdNiuqFxA5no1Mw3ZM=
=aiOz
-----END PGP SIGNATURE-----

--- End Message ---

Bug#548975: marked as done (kvm-source: allows MMU hypercalls from ring > 0)

Reply via email to