Bug 1490781 (CVE-2017-1000252) - CVE-2017-1000252 kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ
Summary: CVE-2017-1000252 kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-1000252
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170915,repor...
Depends On: 1491652 1491653 1491654 1491655 1492168
Blocks: 1490783
TreeView+ depends on / blocked
 
Reported: 2017-09-12 08:40 UTC by Adam Mariš
Modified: 2019-07-12 13:04 UTC (History)
8 users (show)

Fixed In Version: kernel-3.10.0-720.el7
Doc Type: Bug Fix
Doc Text:
A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:04:31 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0676 None None None 2018-04-10 08:06:58 UTC
Red Hat Product Errata RHSA-2018:1062 None None None 2018-04-10 09:30:34 UTC
Red Hat Product Errata RHSA-2018:1130 None None None 2018-04-17 16:20:27 UTC

Description Adam Mariš 2017-09-12 08:40:25 UTC
A reachable assertion failure flaw was found in the Linux kernel built with the
KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature 
(CONFIG_VFIO) enabled. This could occur if a malicious guest device sent a
virtual interrupt(guest IRQ) with larger(>1024) index value.

A guest user/process could use this flaw to crash the KVM hypervisor resulting in Dos.

Note: It affects x86 arch platforms.

Upstream patches:
-----------------
  -> https://marc.info/?l=kvm&m=150549145711115&w=2
  -> https://marc.info/?l=kvm&m=150549146311117&w=2

Introduced by commit:
  -> https://git.kernel.org/linus/efc644048ecde54f016011fe10110addd0de348f

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/09/15/4

Comment 2 Adam Mariš 2017-09-13 07:03:22 UTC
Acknowledgments:

Name: Jan H. Schönherr (Amazon)

Comment 4 Prasad J Pandit 2017-09-14 11:06:51 UTC
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.

This issue affects the version of Linux kernel as shipped with Red Hat Enterprise Linux 7. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue.

Comment 7 Prasad J Pandit 2017-09-15 16:04:30 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1492168]

Comment 8 Rafael Aquini 2017-09-30 11:05:25 UTC
Patch(es) committed on kernel repository and an interim kernel build is undergoing testing

Comment 10 Rafael Aquini 2017-10-02 14:22:42 UTC
Patch(es) available on kernel-3.10.0-720.el7

Comment 11 Justin M. Forbes 2018-01-29 16:39:24 UTC
This was fixed for Fedora with the 4.13.5 updates

Comment 13 errata-xmlrpc 2018-04-10 08:06:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676

Comment 14 errata-xmlrpc 2018-04-10 09:30:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062

Comment 15 errata-xmlrpc 2018-04-17 16:20:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2018:1130 https://access.redhat.com/errata/RHSA-2018:1130

Comment 16 Product Security DevOps Team 2019-07-12 13:04:31 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-1000252


Note You need to log in before you can comment on or make changes to this bug.