Bug 1660604 (CVE-2018-16882) - CVE-2018-16882 Kernel: KVM: nVMX: use after free in posted interrupt processing
Summary: CVE-2018-16882 Kernel: KVM: nVMX: use after free in posted interrupt processing
Status: CLOSED NOTABUG
Alias: CVE-2018-16882
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20181218,repo...
Keywords: Reopened, Security
Depends On: 1660606 1660948 1661082
Blocks: 1659455
TreeView+ depends on / blocked
 
Reported: 2018-12-18 19:08 UTC by Prasad J Pandit
Modified: 2019-06-11 11:13 UTC (History)
6 users (show)

(edit)
A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system.
Clone Of:
(edit)
Last Closed: 2019-06-10 10:44:16 UTC


Attachments (Terms of Use)

Description Prasad J Pandit 2018-12-18 19:08:40 UTC
A use after free issue was found in the way Linux kernel's KVM hypervisor
processed posted interrupts, when nested(=1) virtualization is enabled.
In nested_get_vmcs12_pages(), in case of an error while processing posted
interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc'
descriptor address. Which is latter used in pi_test_and_clear_on().

A guest user/process could use this flaw to crash the host kernel resulting
in DoS OR potentially gain privileged access to a system.

Upstream patch:
---------------
  -> https://marc.info/?l=kvm&m=154514994222809&w=2

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2018/12/18/6

Comment 1 Prasad J Pandit 2018-12-18 19:08:44 UTC
Acknowledgments:

Name: Cfir Cohen (google.com)

Comment 2 Prasad J Pandit 2018-12-18 19:09:05 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1660606]

Comment 6 Pedro Sampaio 2019-01-03 14:19:47 UTC
References:

https://lwn.net/Articles/775720/
https://lwn.net/Articles/775721/


Note You need to log in before you can comment on or make changes to this bug.