Ubuntu
virtualbox package

virtualbox guest crash on AMD when calling taskgate with wrong CPL

Bug #1044634 reported by halfdog
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
virtualbox (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Oneiric
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned
virtualbox-ose (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
Raring
Invalid
Undecided
Unassigned

Bug Description

Ubuntu precise i386 guest kernel (3.2.0-29-generic) can be crashed by invocation of software interrupt 0x8 from userspace. Crash verified only when guest is running inside virtualbox, e.g. 4.1.12-dfsg-2ubuntu0.1 on ubuntu precise amd64 kernel 3.2.0-29-generic. Other platforms might be also affected, but not confirmed yet.

The cause for the crash is, that the ring-0 code recompiler does not check current privilege level CPL when calling a task gate on processor without VT-x / AMD-V support. The bug is fixed upstream in 4.2.0-RC3, see https://www.virtualbox.org/changeset/43068/vbox

Outcome on linux: Userspace-DOS
Outcome on other platforms: Not clear, when they use task gates, this might perhaps lead to local privilege escalation due to invalid processor simulation.

See also http://www.halfdog.net/Security/2012/VirtualBoxSoftwareInterrupt0x8GuestCrash/

# lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04

ii virtualbox 4.1.12-dfsg-2ubuntu0.1 x86 virtualization solution - base binaries

While not sure about cause of crash, another bug was filed agains kernel (https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1041530) but the kernel is not the root cause.

Tags: patch
Revision history for this message
halfdog (halfdog) wrote :

Response from upstream: http://sourceforge.net/mailarchive/message.php?msg_id=29740660

Revision history for this message
halfdog (halfdog) wrote :

Upstream fixes for VirtualBox 4.2.0-RC3 and 4.1.22 available. See https://www.virtualbox.org/changeset/43068/vbox and VirtualBox Changelogs

Changed in virtualbox (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "patch-43068.diff" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Felix Geyer (debfx) wrote :

quantal debdiff

Changed in virtualbox-ose (Ubuntu Lucid):
status: New → Confirmed
Changed in virtualbox-ose (Ubuntu Oneiric):
status: New → Invalid
Changed in virtualbox-ose (Ubuntu Precise):
status: New → Invalid
Changed in virtualbox-ose (Ubuntu Quantal):
status: New → Invalid
Changed in virtualbox-ose (Ubuntu Raring):
status: New → Invalid
Changed in virtualbox (Ubuntu Quantal):
status: New → Confirmed
Changed in virtualbox (Ubuntu Precise):
status: New → Confirmed
Changed in virtualbox (Ubuntu Oneiric):
status: New → Confirmed
Changed in virtualbox (Ubuntu Lucid):
status: New → Confirmed
status: Confirmed → Invalid
Revision history for this message
Felix Geyer (debfx) wrote :

precise debdiff

Revision history for this message
Felix Geyer (debfx) wrote :

oneiric debdiff

Revision history for this message
Felix Geyer (debfx) wrote :

lucid debdiff

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs! I've reviewed them and have uploaded them to the security ppa. When they are finished building, I'll push them out to the archive. Thanks again. :)

Changed in virtualbox (Ubuntu Oneiric):
status: Confirmed → Fix Committed
Changed in virtualbox (Ubuntu Precise):
status: Confirmed → Fix Committed
Changed in virtualbox (Ubuntu Quantal):
status: Confirmed → Fix Committed
Changed in virtualbox (Ubuntu Raring):
status: Confirmed → Fix Committed
Changed in virtualbox-ose (Ubuntu Lucid):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox-ose - 3.1.6-dfsg-2ubuntu2.1

---------------
virtualbox-ose (3.1.6-dfsg-2ubuntu2.1) lucid-security; urgency=low

  * SECURITY UPDATE: Missing privilege check for task gate switches
    (LP: #1044634)
    - debian/patches/cve-2012-3221.dpatch: patch from upstream
    - CVE-2012-3221
 -- Felix Geyer <email address hidden> Fri, 26 Oct 2012 14:38:37 +0200

Changed in virtualbox-ose (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 4.1.12-dfsg-2ubuntu0.2

---------------
virtualbox (4.1.12-dfsg-2ubuntu0.2) precise-security; urgency=low

  * SECURITY UPDATE: Missing privilege check for task gate switches
    (LP: #1044634)
    - debian/patches/cve-2012-3221.patch: patch from upstream
    - CVE-2012-3221
 -- Felix Geyer <email address hidden> Fri, 26 Oct 2012 14:14:34 +0200

Changed in virtualbox (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 4.1.18-dfsg-1ubuntu1.1

---------------
virtualbox (4.1.18-dfsg-1ubuntu1.1) quantal-security; urgency=low

  * SECURITY UPDATE: Missing privilege check for task gate switches
    (LP: #1044634)
    - debian/patches/cve-2012-3221.patch: patch from upstream
    - CVE-2012-3221
 -- Felix Geyer <email address hidden> Fri, 26 Oct 2012 14:08:43 +0200

Changed in virtualbox (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package virtualbox - 4.1.2-dfsg-1ubuntu1.1

---------------
virtualbox (4.1.2-dfsg-1ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Missing privilege check for task gate switches
    (LP: #1044634)
    - debian/patches/cve-2012-3221.patch: patch from upstream
    - CVE-2012-3221
 -- Felix Geyer <email address hidden> Fri, 26 Oct 2012 14:15:42 +0200

Changed in virtualbox (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Felix Geyer (debfx) wrote :

Fixed in 4.1.18-dfsg-1.1ubuntu1 for raring

Changed in virtualbox (Ubuntu Raring):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.