** Description changed: - Linux 2.6.32 - 3.18 that runs KVM may enable a malicious guest process - to crash the guest OS or launch a privilege escalation attack on the - guest. The attack can be launched by tricking the hypervisor to emulate - a SYSENTER instruction in 16-bit mode, if the guest OS does not - initialize the SYSENTER MSRs. KVM does not check under these conditions - that the selector IA32_SYSENTER_CS is not zero, and does not generate a - #GP exception as real hardware does. Instead, it sets the guest - instruction pointer to zero and changes the code privilege level (CPL) - to zero (privileged). Note that the attack can only be issued under very - certain conditions (see the details below). Windows and distro Linux - guest OSes should be safe. The bug existed since the introduction of - SYSENTER emulation (em_sysenter function on recent Linux releases), in - commit 8c60435261deaefeb53ce3222d04d7d5bea81296 , which is present in - Linux 2.6.32 - 3.18. + The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel + before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, + allows guest OS users to gain guest OS privileges or cause a denial of + service (guest OS crash) by triggering use of a 16-bit code segment for + emulation of a SYSENTER instruction. Break-Fix: - f3747379accba8e95d70cec0eae0582c8c182050
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1414651 Title: CVE-2015-0239 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1414651/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
