Bug 1671913 (CVE-2019-6974)

Summary: CVE-2019-6974 Kernel: KVM: potential use-after-free via kvm_ioctl_create_device()
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, asavkov, bhu, blc, brdeoliv, bskeggs, dedgar, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, pbonzini, plougher, ppandit, rt-maint, rvrbovsk, security-response-team, steved, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), the device holds a reference to a VM object, later this reference is transferred to the caller's file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service issue or, potentially, gain privileged access to a system.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:47:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1671915, 1671916, 1671917, 1671922, 1671923, 1671924, 1671925, 1671926, 1673681, 1673843, 1673844, 1717816, 1740259, 1740260, 1740261, 1740262    
Bug Blocks: 1671898    

Description Prasad Pandit 2019-02-02 06:11:14 UTC
A use after free issue was found in the way Linux kernel's KVM hypervisor
implements its device control API. While creating a device via
kvm_ioctl_create_device(), device holds a reference to a VM object,
latter this reference is transferred to caller's file descriptor table.
If such file descriptor was to be closed, reference count to the VM
object could become zero, potentially leading to use-after-free
issue latter. 

A user/process could use this flaw to crash the guest VM resulting in
DoS issue OR potentially gain privileged access to a system.

Upstream patch:
---------------
  -> https://git.kernel.org/linus/cfa39381173d5f969daf43582c95ad679189cbc9

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/02/18/2

Comment 3 Prasad Pandit 2019-02-06 07:13:37 UTC
Acknowledgments:

Name: Jann Horn (Google)

Comment 6 Prasad Pandit 2019-02-07 11:03:10 UTC
Statement:

This issue does not affect the version of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.

This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 7. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue.

Comment 7 Prasad Pandit 2019-02-07 18:55:11 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1673681]

Comment 9 errata-xmlrpc 2019-04-23 12:57:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0833 https://access.redhat.com/errata/RHSA-2019:0833

Comment 10 errata-xmlrpc 2019-04-23 14:28:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0818 https://access.redhat.com/errata/RHSA-2019:0818

Comment 16 errata-xmlrpc 2019-09-20 11:54:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2809 https://access.redhat.com/errata/RHSA-2019:2809

Comment 18 errata-xmlrpc 2019-11-26 11:52:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:3967 https://access.redhat.com/errata/RHSA-2019:3967

Comment 22 errata-xmlrpc 2020-01-14 15:53:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:0103 https://access.redhat.com/errata/RHSA-2020:0103