Date: Mon, 16 May 2016 17:30:16 +0530 (IST) From: P J P <ppandit@...hat.com> To: oss security list <oss-security@...ts.openwall.com> cc: Radim Krcmar <rkrcmar@...hat.com>, Paolo Bonzini <pbonzini@...hat.com>, Salvatore Bonaccorso <carnil@...ian.org> Subject: CVE-2016-3713 Linux kernel: kvm: OOB r/w access issue with MSR 0x2F8 Hello, Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) with variable Memory Type Range Registers(MTRR) support is vulnerable to an out-of-bounds r/w access issue. It could occur while accessing processor's MTRRs via ioctl(2) calls. A privileged user inside guest could use this flaw to manipulate host kernel's memory bytes leading to information disclosure OR potentially crashing the kernel resulting in DoS. 'CVE-2016-3713' has been assigned to this issue by Red Hat Inc. A proposed patch is attached herein to fix this issue. Reference: -> https://bugzilla.redhat.com/show_bug.cgi?id=1332139 This issue was reported by Mr David Matlack of Google Inc. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@...hat.com> Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support was introduced by 9ba075a664df ("KVM: MTRR support"). 0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8, which made access to index 124 out of bounds. The surrounding code only WARNs in this situation, thus the guest gained a limited read/write access to struct kvm_arch_vcpu. 0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR MTRR MSRs, 0x200-0x20f. Every VR MTRR is set up using two MSRs, 0x2f8 was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was not implemented in KVM, therefore 0x2f8 could never do anything useful and getting rid of it is safe. This fixes CVE-2016-3713. Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs") Cc: stable@...r.kernel.org Reported-by: David Matlack <dmatlack@...gle.com> Signed-off-by: Radim Krčmář <rkrcmar@...hat.com> --- arch/x86/kvm/mtrr.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c index 3f8c732117ec..c146f3c262c3 100644 --- a/arch/x86/kvm/mtrr.c +++ b/arch/x86/kvm/mtrr.c @@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr) case MSR_MTRRdefType: case MSR_IA32_CR_PAT: return true; - case 0x2f8: - return true; } return false; } -- 2.8.1
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ