Bug 1671913 (CVE-2019-6974)
Summary: | CVE-2019-6974 Kernel: KVM: potential use-after-free via kvm_ioctl_create_device() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Prasad Pandit <ppandit> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | acaringi, airlied, asavkov, bhu, blc, brdeoliv, bskeggs, dedgar, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, pbonzini, plougher, ppandit, rt-maint, rvrbovsk, security-response-team, steved, williams, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), the device holds a reference to a VM object, later this reference is transferred to the caller's file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service issue or, potentially, gain privileged access to a system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:47:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1671915, 1671916, 1671917, 1671922, 1671923, 1671924, 1671925, 1671926, 1673681, 1673843, 1673844, 1717816, 1740259, 1740260, 1740261, 1740262 | ||
Bug Blocks: | 1671898 |
Description
Prasad Pandit
2019-02-02 06:11:14 UTC
Acknowledgments: Name: Jann Horn (Google) Statement: This issue does not affect the version of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2. This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 7. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue. Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1673681] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0833 https://access.redhat.com/errata/RHSA-2019:0833 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0818 https://access.redhat.com/errata/RHSA-2019:0818 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2809 https://access.redhat.com/errata/RHSA-2019:2809 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:3967 https://access.redhat.com/errata/RHSA-2019:3967 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:0103 https://access.redhat.com/errata/RHSA-2020:0103 |