Bug 1131951 (CVE-2014-3601)

Summary: CVE-2014-3601 kernel: kvm: invalid parameter passing in kvm_iommu_map_pages()
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aquini, areis, dhoward, ehabkost, fhrbata, kernel-mgr, knoel, mkenneth, mmilgram, mrezanin, mst, mtosatti, nmurray, pbonzini, rvrbovsk, security-response-team, stefanha
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the Linux kernel's kvm_iommu_map_pages() function handled IOMMU mapping failures. A privileged user in a guest with an assigned host device could use this flaw to crash the host.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:34:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1131952, 1131953, 1144366    
Bug Blocks: 1131958    

Description Petr Matousek 2014-08-20 11:36:36 UTC 
A flaw was found in the way iommu mapping failures were handled in
kvm_iommu_map_pages() function in the Linux kernel. A privileged user in the
guest could use this flaw to crash the host in case the guest has access to
passed in device.

Acknowledgements:

Red Hat would like to thank Jack Morgenstein of Mellanox for reporting this issue; the security impact of this issue was discovered by Michael Tsirkin of Red Hat.
Comment 2 Petr Matousek 2014-08-20 11:41:39 UTC 
Upstream fix:

http://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7
Comment 5 Petr Matousek 2014-09-19 09:37:25 UTC 
Statement:

This issue did not affect the Linux kernel versions as shipped with Red Hat Enterprise Linux 7 and Red Hat Enterprise MRG 2. Future kvm updates for Red Hat Enterprise Linux 5 and Linux kernel updates for Red Hat Enterprise Linux 6 may address this issue.
Comment 6 Martin Prpič 2014-10-10 08:45:19 UTC 
IssueDescription:

A flaw was found in the way the Linux kernel's kvm_iommu_map_pages() function handled IOMMU mapping failures. A privileged user in a guest with an assigned host device could use this flaw to crash the host.
Comment 7 errata-xmlrpc 2014-10-14 06:17:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1392 https://rhn.redhat.com/errata/RHSA-2014-1392.html