Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigi@nce: linux-2.6.18-xen, denial of service

May 2009 by Vigil@nce

SYNTHESIS OF THE VULNERABILITY

An attacker located in a guest system can generate a denial of service of linux-2.6.18-xen.

Severity: 1/4

Consequences: denial of service of computer

Provenance: user shell

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 22/05/2009

IMPACTED PRODUCTS

- Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The linux-2.6.18-xen product is a Linux kernel version 2.6.18 with the Xen support. This product is a branch different than the standard Linux kernel, or the standard Xen.

The arch/i386/kernel/entry-xen.S assembly file of linux-2.6.18-xen is a modified version of entry.S which handles system calls. This file defines two labels "scrit" and "ecrit" which surround (start and end) a critical region.

On a x86 processor, the current instruction is indicated by the register %cs:%eip (Code Segment and Instruction Pointer).

During a system call, registers (%ebx, %ecx, ..., %eip, %cs, ...) are stacked. The hypervisor_callback function does not check if the stacked %cs register is a privileged segment (bit 1 of the RPL set - Requested Privilege Level). The main part of this function is only used if the stacked %eip register is between "scrit" and "ecrit".

A local non privileged attacker can therefore use a memory address between "scrit" and "ecrit", in order to generate an error which stops the virtual machine.

An attacker located in a guest system can thus generate a denial of service of linux-2.6.18-xen.

CHARACTERISTICS

Identifiers: CVE-2009-1758, VIGILANCE-VUL-8728

http://vigilance.fr/vulnerability/linux-2-6-18-xen-denial-of-service-8728




See previous articles

    

See next articles