Upstream information

CVE-2009-4004 at MITRE

Description

Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc7 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a KVM_X86_SETUP_MCE IOCTL request that specifies a large number of Machine Check Exception (MCE) banks.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 7.2
Vector AV:L/AC:L/Au:N/C:C/I:C/A:C
Access Vector Local
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete

Note from the SUSE Security Team

The MCE setup code was added to KVM in the 2.6.31 kernel. This means that only openSUSE 11.2 is affected by this problem. Older products, like SLES 9, 10 or SLE 11 are not affected by this problem.,The MCE setup code was added to KVM in the 2.6.31 kernel. This means that only openSUSE 11.2 is affected by this problem. Older products, like SUSE Linux Enterprise 9, 10 or SUSE Linux Enterprise 11 are not affected by this problem.

SUSE Bugzilla entry: 557164 [RESOLVED / INVALID]

No SUSE Security Announcements cross referenced.