Vigil@nce: Linux kernel, denial of service via hypercalls
September 2009 by Vigil@nce
On a x86 processor, an attacker located in a KVM guest system can
use a MMU hypercall, in order to stop the system.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 18/09/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
An "hypercall" is used by the guest system to access to resources
of the host system (it is equivalent to a system call done by an
application to access to kernel resources). A KVM (Kernel Virtual
Machine) guest system can therefore use an hypercall to access to
the MMU (Memory Management Unit).
However, the kvm_emulate_hypercall() function of the
arch/x86/kvm/x86.c file does not check if the code runs in ring 0
(privileged), before calling kvm_pv_mmu_op(). A user application
can thus panic the host kernel.
On a x86 processor, an attacker located in a KVM guest system can
therefore use a MMU hypercall, in order to stop the system.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-9033
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-hypercalls-9033