Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigi@nce: linux-2.6.18-xen, denial of service

May 2009 by Vigil@nce

SYNTHESIS OF THE VULNERABILITY

An attacker located in a guest system can generate a denial of
service of linux-2.6.18-xen.

Severity: 1/4

Consequences: denial of service of computer

Provenance: user shell

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 22/05/2009

IMPACTED PRODUCTS

 Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The linux-2.6.18-xen product is a Linux kernel version 2.6.18 with
the Xen support. This product is a branch different than the
standard Linux kernel, or the standard Xen.

The arch/i386/kernel/entry-xen.S assembly file of linux-2.6.18-xen
is a modified version of entry.S which handles system calls. This
file defines two labels "scrit" and "ecrit" which surround (start
and end) a critical region.

On a x86 processor, the current instruction is indicated by the
register %cs:%eip (Code Segment and Instruction Pointer).

During a system call, registers (%ebx, %ecx, ..., %eip, %cs, ...)
are stacked. The hypervisor_callback function does not check if
the stacked %cs register is a privileged segment (bit 1 of the RPL
set - Requested Privilege Level). The main part of this function
is only used if the stacked %eip register is between "scrit" and
"ecrit".

A local non privileged attacker can therefore use a memory address
between "scrit" and "ecrit", in order to generate an error which
stops the virtual machine.

An attacker located in a guest system can thus generate a denial
of service of linux-2.6.18-xen.

CHARACTERISTICS

Identifiers: CVE-2009-1758, VIGILANCE-VUL-8728

http://vigilance.fr/vulnerability/linux-2-6-18-xen-denial-of-service-8728


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts