Date: Wed, 20 Mar 2013 12:09:53 +0100 From: Petr Matousek <pmatouse@...hat.com> To: oss-security@...ts.openwall.com Subject: linux kernel: kvm: CVE-2013-179[6..8] * CVE-2013-1796 Description of the problem: If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. Thewrite is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=c300aa64ddf57d9c5d9c898a64b36877345dd4a9 References: https://bugzilla.redhat.com/show_bug.cgi?id=917012 * CVE-2013-1797 Description of the problem: There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=0b79459b482e85cb7426aa7da683a9f2c97aeae1 References: https://bugzilla.redhat.com/show_bug.cgi?id=917013 * CVE-2013-1798 Description of the problem: If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=a2c118bfab8bc6b8bb213abfc35201e441693d55 References: https://bugzilla.redhat.com/show_bug.cgi?id=917017 All three issues were found and reported by Andrew Honig of Google. Thanks, -- Petr Matousek / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ