Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 20 Mar 2013 12:09:53 +0100
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Subject: linux kernel: kvm: CVE-2013-179[6..8]

* CVE-2013-1796
Description of the problem:
If the guest sets the GPA of the time_page so that the request to update
the time straddles a page then KVM will write onto an incorrect page.
Thewrite is done byusing kmap atomic to get a pointer to the page for
the time structure and then performing a memcpy to that page starting at
an offset that the guest controls.  Well behaved guests always provide a
32-byte aligned address, however a malicious guest could use this to
corrupt host kernel memory.

Upstream commit:
https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=c300aa64ddf57d9c5d9c898a64b36877345dd4a9

References:
https://bugzilla.redhat.com/show_bug.cgi?id=917012

* CVE-2013-1797
Description of the problem:
There is a potential use after free issue with the handling of
MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or
removable memory such as frame buffers then KVM might continue to write
to that address even after it's removed via KVM_SET_USER_MEMORY_REGION.
KVM pins the page in memory so it's unlikely to cause an issue, but if
the user space component re-purposes the memory previously used for the
guest, then the guest will be able to corrupt that memory.

Upstream commit:
https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=0b79459b482e85cb7426aa7da683a9f2c97aeae1

References:
https://bugzilla.redhat.com/show_bug.cgi?id=917013

* CVE-2013-1798
Description of the problem:
If the guest specifies a IOAPIC_REG_SELECT with an invalid value and
follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly
validate that request.  ioapic_read_indirect contains an
ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
non-debug builds.  In recent kernels this allows a guest to cause a
kernel oops by reading invalid memory.  In older kernels (pre-3.3) this
allows a guest to read from large ranges of host memory.

Upstream commit:
https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=a2c118bfab8bc6b8bb213abfc35201e441693d55

References:
https://bugzilla.redhat.com/show_bug.cgi?id=917017

All three issues were found and reported by Andrew Honig of Google.

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ