Date: Wed, 29 Oct 2014 16:27:59 -0700 From: Andy Lutomirski <luto@...capital.net> To: oss-security@...ts.openwall.com Subject: Re: CVE-2014-3690: KVM DoS triggerable by malicious host userspace On 10/21/2014 01:48 PM, Andy Lutomirski wrote: > [sorry for somewhat late notice -- I didn't notice that the patch was > public until just now] > > KVM has a bug that allows malicious host user code that can open the > /dev/kvm device on a VMX (Intel) machine to DoS the system. (In my > proof of concept, the DoS is a rather spectacular failure of the whole > system, although I haven't checked whether the kernel panics. A more > refined exploit *might* be able to kill targetted user processes, but > it would be tricky and is subject to possibly unavoidable races that > are likely to take down the whole system.) > > This is *not* triggerable by a guest, although a guest that can > compromise its host QEMU could use this bug to take down everything > else running on the host. > > I would guess that all kernels that support VMX are vulnerable, but I > haven't tested old kernels. > > The fix is here: > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d974baa398f34393db76be45f7d4d04fbdbb4a0a > > PoC available upon request, and I'll post it publicly in a few days, > because it's kind of fun to watch the fireworks. > > --Andy > As promised, here's the exploit. I didn't really feel like writing a self-contained test case to initialize a KVM vCPU, so I turned QEMU into an exploit instead. Apply the attached patch to QEMU, build it, and run it (qemu-system-x86_64 -machine accel=kvm). --Andy View attachment "0001-Evil-QEMU-hack-to-exploit-a-KVM-CR4-bug.patch" of type "text/x-patch" (1792 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ