Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 29 Oct 2014 16:27:59 -0700
From: Andy Lutomirski <luto@...capital.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-3690: KVM DoS triggerable by malicious host userspace

On 10/21/2014 01:48 PM, Andy Lutomirski wrote:
> [sorry for somewhat late notice -- I didn't notice that the patch was
> public until just now]
> 
> KVM has a bug that allows malicious host user code that can open the
> /dev/kvm device on a VMX (Intel) machine to DoS the system.  (In my
> proof of concept, the DoS is a rather spectacular failure of the whole
> system, although I haven't checked whether the kernel panics.  A more
> refined exploit *might* be able to kill targetted user processes, but
> it would be tricky and is subject to possibly unavoidable races that
> are likely to take down the whole system.)
> 
> This is *not* triggerable by a guest, although a guest that can
> compromise its host QEMU could use this bug to take down everything
> else running on the host.
> 
> I would guess that all kernels that support VMX are vulnerable, but I
> haven't tested old kernels.
> 
> The fix is here:
> 
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d974baa398f34393db76be45f7d4d04fbdbb4a0a
> 
> PoC available upon request, and I'll post it publicly in a few days,
> because it's kind of fun to watch the fireworks.
> 
> --Andy
> 

As promised, here's the exploit.

I didn't really feel like writing a self-contained test case to
initialize a KVM vCPU, so I turned QEMU into an exploit instead.  Apply
the attached patch to QEMU, build it, and run it (qemu-system-x86_64
-machine accel=kvm).

--Andy

View attachment "0001-Evil-QEMU-hack-to-exploit-a-KVM-CR4-bug.patch" of type "text/x-patch" (1792 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ