Bug 1551455 - incorrect locking (possible use-after-free) with bug 1481593 fix
Summary: incorrect locking (possible use-after-free) with bug 1481593 fix
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Paolo Bonzini
QA Contact: Chao Yang
URL:
Whiteboard:
Depends On:
Blocks: 1553775 1554929
TreeView+ depends on / blocked
 
Reported: 2018-03-05 08:41 UTC by Paolo Bonzini
Modified: 2018-11-01 11:06 UTC (History)
15 users (show)

Fixed In Version: qemu-kvm-rhev-2.12.0-1.el7
Doc Type: Bug Fix
Doc Text:
Previously, system calls to the address_space_to_flatview function in some cases targeted functions that were not sufficiently synchronized by the read-copy-update (RCU) mechanism. This was a potential security risk. The affected system calls have been fixed, and they can no longer be used as a vector for malicious code.
Clone Of:
: 1553775 1554929 (view as bug list)
Environment:
Last Closed: 2018-11-01 11:06:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Paolo Bonzini 2018-03-05 08:41:32 UTC 
When introducing of flatview_{read,write}, calls to address_space_to_flatview were placed outside RCU critical sections.

This is wrong and has to be fixed; even though it is unlikely to happen with standard operating systems, malicious code could use it to trigger use-after-free and heap corruption.

Patches posted upstream at:
http://patchew.org/QEMU/20180305083655.6186-1-pbonzini@redhat.com/
Comment 18 errata-xmlrpc 2018-11-01 11:06:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3443
Note You need to log in before you can comment on or make changes to this bug.