Bug 1490781 (CVE-2017-1000252)

Summary: CVE-2017-1000252 kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: blc, hkrzesin, jforbes, knoel, mlangsdo, pbonzini, ppandit, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-3.10.0-720.el7 Doc Type: Bug Fix
Doc Text:
A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:04:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1491652, 1491653, 1491654, 1491655, 1492168    
Bug Blocks: 1490783    

Description Adam Mariš 2017-09-12 08:40:25 UTC 
A reachable assertion failure flaw was found in the Linux kernel built with the
KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature 
(CONFIG_VFIO) enabled. This could occur if a malicious guest device sent a
virtual interrupt(guest IRQ) with larger(>1024) index value.

A guest user/process could use this flaw to crash the KVM hypervisor resulting in Dos.

Note: It affects x86 arch platforms.

Upstream patches:
-----------------
  -> https://marc.info/?l=kvm&m=150549145711115&w=2
  -> https://marc.info/?l=kvm&m=150549146311117&w=2

Introduced by commit:
  -> https://git.kernel.org/linus/efc644048ecde54f016011fe10110addd0de348f

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/09/15/4
Comment 2 Adam Mariš 2017-09-13 07:03:22 UTC 
Acknowledgments:

Name: Jan H. Schönherr (Amazon)
Comment 4 Prasad Pandit 2017-09-14 11:06:51 UTC 
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.

This issue affects the version of Linux kernel as shipped with Red Hat Enterprise Linux 7. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue.
Comment 7 Prasad Pandit 2017-09-15 16:04:30 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1492168]
Comment 8 Rafael Aquini 2017-09-30 11:05:25 UTC 
Patch(es) committed on kernel repository and an interim kernel build is undergoing testing
Comment 10 Rafael Aquini 2017-10-02 14:22:42 UTC 
Patch(es) available on kernel-3.10.0-720.el7
Comment 11 Justin M. Forbes 2018-01-29 16:39:24 UTC 
This was fixed for Fedora with the 4.13.5 updates
Comment 13 errata-xmlrpc 2018-04-10 08:06:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676
Comment 14 errata-xmlrpc 2018-04-10 09:30:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062
Comment 15 errata-xmlrpc 2018-04-17 16:20:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2018:1130 https://access.redhat.com/errata/RHSA-2018:1130
Comment 16 Product Security DevOps Team 2019-07-12 13:04:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-1000252