Vigil@nce: Linux kernel, memory access in KVM
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker located inside a KVM guest system can read or access memory with elevated privileges.
Consequences: administrator access/rights, privileged access/rights, data reading, data creation/edition
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 09/02/2010
Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
A x86 processor has 4 rings associated to privileges:
ring 0 : all memory accesses and all assembler instructions are allowed
ring 3 : memory access is restricted to segments with the same privilege level
The gva_to_gpa() function of the KVM arch/x86/kvm/emulate.c emulator does not check the CPL (Current Privilege Level) before doing a memory operation.
An attacker located inside a KVM guest system can therefore read or access memory with elevated privileges.
Identifiers: 559091, BID-38158, CVE-2010-0298, DSA-1996-1, RHSA-2010:0088-02, VIGILANCE-VUL-9422