Bug 1156615 (CVE-2014-8480, CVE-2014-8481) - CVE-2014-8480 CVE-2014-8481 kernel: kvm: NULL pointer dereference during rip relative instruction emulation
Summary: CVE-2014-8480 CVE-2014-8481 kernel: kvm: NULL pointer dereference during rip ...
Status: CLOSED NOTABUG
Alias: CVE-2014-8480, CVE-2014-8481
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20141013,repo...
Keywords: Security
Depends On: 1156616
Blocks: 1156617
TreeView+ depends on / blocked
 
Reported: 2014-10-24 19:30 UTC by Petr Matousek
Modified: 2015-02-16 15:40 UTC (History)
40 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-24 19:33:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Petr Matousek 2014-10-24 19:30:16 UTC
A NULL pointer dereference flaw was found in the way the Linux kernel's kvm emulator processed certain rip relative instructions:

  * certain instructions (such as clflush) were missing proper flags in the
    decoder tables which to lead to uninitialized ctxt->memopp (CVE-2014-8480)

  * certain error cases (such as failure to fetch whole instruction) also lead
    to unitialized ctxt->memopp (CVE-2014-8481)

A privileged (CVE-2014-8480) or unprivileged (CVE-2014-8481) guest user could use these flaws to crash the host. 

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=41061cdb98a0bec464278b4db8e894a3121671f5

CVE-2014-8480 upstream patches:
http://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=13e457e0eebf0a0c82c38ceb890d93eb826d62a6
http://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=3f6f1480d86bf9fc16c160d803ab1d006e3058d5

CVE-2014-8481 upstream patches:
http://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=a430c9166312e1aa3d80bce32374233bdbfeba32

Acknowledgements:

Red Hat would like to thank Nadav Amit and Andy Lutomirski for reporting this issue.

Comment 1 Petr Matousek 2014-10-24 19:31:05 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1156616]

Comment 2 Petr Matousek 2014-10-24 19:33:03 UTC
Statement:

These issues do not affect Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.

These issues do not affect kvm packages as shipped with Red Hat Enterprise Linux 5.


Note You need to log in before you can comment on or make changes to this bug.