Bug 917013 (CVE-2013-1797)

Summary: CVE-2013-1797 kernel: kvm: after free issue with the handling of MSR_KVM_SYSTEM_TIME
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, anton, areis, dhoward, ehabkost, fhrbata, gleb, jrusnack, juzhang, knoel, lwang, michen, minovotn, mkenneth, mtosatti, npajkovs, rhod, security-response-team, sforsber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20130320,reported=20130220,source=google,cvss2=6.5/AV:A/AC:H/Au:S/C:C/I:C/A:C,rhel-5/kvm=affected,rhel-5/kernel=notaffected,rhel-6/kernel=affected,mrg-2/realtime-kernel=notaffected,fedora-all/kernel=affected,rhel-6.2.z/kernel=affected,rhel-6.3.z/kernel=affected,cwe=CWE-416
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-23 17:11:29 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 917022, 917023, 917024, 917025, 923967, 964431, 964432    
Bug Blocks: 917037    

Description Petr Matousek 2013-03-01 08:25:10 EST
Description of the problem:
There is a potential use after free issue with the handling of
MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
memory such as frame buffers then KVM might continue to write to that
address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
the page in memory so it's unlikely to cause an issue, but if the user
space component re-purposes the memory previously used for the guest, then
the guest will be able to corrupt that memory.


Red Hat would like to thank Andrew Honig of Google for reporting this issue.
Comment 1 Petr Matousek 2013-03-01 08:26:06 EST

This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 5 and Red Hat Enterprise MRG as they did not provide support
for the KVM subsystem.
Comment 6 Petr Matousek 2013-03-20 15:47:33 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 923967]
Comment 8 Fedora Update System 2013-03-23 19:58:03 EDT
kernel-3.8.4-202.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 errata-xmlrpc 2013-04-09 14:15:05 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0727 https://rhn.redhat.com/errata/RHSA-2013-0727.html
Comment 10 errata-xmlrpc 2013-04-23 14:28:14 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0744 https://rhn.redhat.com/errata/RHSA-2013-0744.html
Comment 11 errata-xmlrpc 2013-04-23 14:56:40 EDT
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:0746 https://rhn.redhat.com/errata/RHSA-2013-0746.html
Comment 13 errata-xmlrpc 2013-06-11 13:40:36 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server Only

Via RHSA-2013:0928 https://rhn.redhat.com/errata/RHSA-2013-0928.html
Comment 14 errata-xmlrpc 2013-07-09 11:06:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.2 EUS - Server Only

Via RHSA-2013:1026 https://rhn.redhat.com/errata/RHSA-2013-1026.html