Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users in a KVM guest and malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges, and by malicious people to cause a DoS.

1) The KVM x86 code emulation functionality does not properly check CPL and IOPL privileges, which can be exploited to execute arbitrary code with escalated privileges.

2) KVM does not properly verify permissions when loading segment selectors, which can be exploited by a malicious userspace process in a guest VM to trick the emulator into loading kernel segments.

Successful exploitation may require an SMP guest.

3) The "clocksource_done_booting()" function in kernel/time/clocksource.c does not correctly initialize the clocksource. This can be exploited to e.g. cause a NULL pointer dereference by reading from "/sys/devices/system/clocksource/clocksource0/current_clocksource".

Successful exploitation requires that the kernel is compiled with the "CONFIG_GENERIC_TIME" option being set to "n".

4) An error within the handling of certain CIFS messages can be exploited to trigger a "BUG_ON()" within the "iov_iter_advance()" function in mm/filemap.c.

5) A NULL pointer dereference error within the "igb_receive_skb()" function in drivers/net/igb/igb_main.c can be exploited to e.g. cause a crash by sending a VLAN tag frame to the affected computer.

Successful exploitation of this vulnerability requires that "CONFIG_PCI_IOV" is enabled and no VLANs are registered.

Solution
Update to version 2.6.34.

Provided and/or discovered by
1, 2) Gleb Natapov, Red Hat
2) Paolo Bonzini, Red Hat
3) Aaro Koskinen
4) Reported by the vendor.
5) Reported in a bug report by Krzysztof Mościcki.

Changelog
Further details available to Secunia VIM customers

Original Advisory
RHSA-2010-0088:
https://rhn.redhat.com/errata/RHSA-2010-0088.html

Red Hat bug #559091, #560654, and #563463:
https://bugzilla.redhat.com/show_bug.cgi?id=559091
https://bugzilla.redhat.com/show_bug.cgi?id=560654
https://bugzilla.redhat.com/show_bug.cgi?id=563463

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1871c6020d7308afb99127bba51f04548e7ca84e
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f850e2e603bf5a05b0aee7901857cf85715aa694

3) http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ad6759fbf35d104dbf573cd6f4c6784ad6823f7e
https://bugzilla.kernel.org/show_bug.cgi?id=15366
4) http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6513a81e9325d712f1bfb9a1d7b750134e49ff18
5) https://bugzilla.kernel.org/show_bug.cgi?id=15582
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=31b24b955c3ebbb6f3008a6374e61cf7c05a193c

http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.34

Deep Links
Links available to Secunia VIM customers