Date: Wed, 20 Mar 2013 12:09:53 +0100 From: Petr Matousek <pmatouse@...hat.com> To: oss-security@...ts.openwall.com Subject: linux kernel: kvm: CVE-2013-179[6..8] * CVE-2013-1796 Description of the problem: If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. Thewrite is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=c300aa64ddf57d9c5d9c898a64b36877345dd4a9 References: https://bugzilla.redhat.com/show_bug.cgi?id=917012 * CVE-2013-1797 Description of the problem: There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=0b79459b482e85cb7426aa7da683a9f2c97aeae1 References: https://bugzilla.redhat.com/show_bug.cgi?id=917013 * CVE-2013-1798 Description of the problem: If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Upstream commit: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=a2c118bfab8bc6b8bb213abfc35201e441693d55 References: https://bugzilla.redhat.com/show_bug.cgi?id=917017 All three issues were found and reported by Andrew Honig of Google. Thanks, -- Petr Matousek / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.