Vigil@nce: Linux kernel, memory access in KVM
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker located inside a KVM guest system can read or access
memory with elevated privileges.
Severity: 2/4
Consequences: administrator access/rights, privileged
access/rights, data reading, data creation/edition
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 09/02/2010
IMPACTED PRODUCTS
– Debian Linux
– Linux kernel
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
A x86 processor has 4 rings associated to privileges:
– ring 0 : all memory accesses and all assembler instructions are
allowed
– ring 3 : memory access is restricted to segments with the same
privilege level
The gva_to_gpa() function of the KVM arch/x86/kvm/emulate.c
emulator does not check the CPL (Current Privilege Level) before
doing a memory operation.
An attacker located inside a KVM guest system can therefore read
or access memory with elevated privileges.
CHARACTERISTICS
Identifiers: 559091, BID-38158, CVE-2010-0298, DSA-1996-1,
RHSA-2010:0088-02, VIGILANCE-VUL-9422
http://vigilance.fr/vulnerability/Linux-kernel-memory-access-in-KVM-9422