It was found that KVM's Write to Model Specific Register (WRMSR) instruction emulation would write non-canonical values passed in by the guest to certain MSRs in the host's context. A privileged guest user could use this flaw to crash the host.
If the guest writes a noncanonical value to certain MSR registers, KVM will
write that value to the MSR in the host context and a #GP will be raised
leading to kernel panic.
A privileged guest user can use this flaw to crash the host.
Enabling CONFIG_PARAVIRT when building the kernel mitigates this issue because wrmsrl() ends up invoking safe msr write variant.
Red Hat would like to thank Lars Bull of Google and Nadav Amit for reporting
This issue does not affect Linux kernel packages as shipped with Red Hat Enterprise Linux 6 and 7. Future kvm package updates for Red Hat Enterprise Linux 5 may address this issue.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1156543]
kernel-3.16.6-203.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.17.2-300.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kernel-3.14.23-100.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 5
Via RHSA-2015:0869 https://rhn.redhat.com/errata/RHSA-2015-0869.html