xorl %eax, %eax

CVE-2009-3722: Linux kernel KVM Unchecked Access on DR

leave a comment »

This is a quite funny bug discovered by Avi Kivity of Red Hat on KVM subsystem. The concept is simple, function handle_dr() which can be found at arch/x86/kvm/vmx.c and it is used to handle the emulated Intel Debugging Registers (aka DR) DR0 up to DR7 was not performing any checks on the privilege level of the process that was using them. This allowed any process, regardless of its current privilege level (CPL) to access and use those registers.
To fix this design flaw, a new routine was added in arch/x86/kvm/x86.c that returns either true or false and queue a general protection fault, if the CPL is fine or not respectively.

/*
 * Checks if cpl <= required_cpl; if true, return true.  Otherwise queue
 * a #GP and return false.
 */
bool kvm_require_cpl(struct kvm_vcpu *vcpu, int required_cpl)
{
       if (kvm_x86_ops->get_cpl(vcpu) <= required_cpl)
              return true;
       kvm_queue_exception_e(vcpu, GP_VECTOR, 0);
       return false;
}
EXPORT_SYMBOL_GPL(kvm_require_cpl);

Of course, handle_dr() was also updated to include this check…

        int dr, reg;
 
+       if (!kvm_require_cpl(vcpu, 0))
+               return 1;
        dr = vmcs_readl(GUEST_DR7);

So, I haven’t try it but here is an idea…
Would it work if you attempt to backdoor the kernel of the guest using the DR rootkit technique disclosed by halfdead on his Phrack #65 article “Mistifying the debugger, ultimate stealthness” directly from CPL 3? It would be fun! :)

Written by xorl

October 31, 2009 at 00:48

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s