Bug 1671913 (CVE-2019-6974) - CVE-2019-6974 Kernel: KVM: potential use-after-free via kvm_ioctl_create_device()
Summary: CVE-2019-6974 Kernel: KVM: potential use-after-free via kvm_ioctl_create_devi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-6974
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190207,repo...
Depends On: 1671926 1717816 1740259 1740260 1671915 1671916 1671917 1671922 1671923 1671924 1671925 1673681 1673843 1673844 1740261 1740262
Blocks: 1671898
TreeView+ depends on / blocked
 
Reported: 2019-02-02 06:11 UTC by Prasad J Pandit
Modified: 2019-08-12 14:28 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), the device holds a reference to a VM object, later this reference is transferred to the caller's file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service issue or, potentially, gain privileged access to a system.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:47:15 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0870 None None None 2019-04-23 21:26:42 UTC
Red Hat Product Errata RHSA-2019:0818 None None None 2019-04-23 14:28:43 UTC
Red Hat Product Errata RHSA-2019:0833 None None None 2019-04-23 12:57:56 UTC

Description Prasad J Pandit 2019-02-02 06:11:14 UTC
A use after free issue was found in the way Linux kernel's KVM hypervisor
implements its device control API. While creating a device via
kvm_ioctl_create_device(), device holds a reference to a VM object,
latter this reference is transferred to caller's file descriptor table.
If such file descriptor was to be closed, reference count to the VM
object could become zero, potentially leading to use-after-free
issue latter. 

A user/process could use this flaw to crash the guest VM resulting in
DoS issue OR potentially gain privileged access to a system.

Upstream patch:
---------------
  -> https://git.kernel.org/linus/cfa39381173d5f969daf43582c95ad679189cbc9

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/02/18/2

Comment 3 Prasad J Pandit 2019-02-06 07:13:37 UTC
Acknowledgments:

Name: Jann Horn (Google)

Comment 6 Prasad J Pandit 2019-02-07 11:03:10 UTC
Statement:

This issue does not affect the version of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.

This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 7. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue.

Comment 7 Prasad J Pandit 2019-02-07 18:55:11 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1673681]

Comment 9 errata-xmlrpc 2019-04-23 12:57:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0833 https://access.redhat.com/errata/RHSA-2019:0833

Comment 10 errata-xmlrpc 2019-04-23 14:28:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0818 https://access.redhat.com/errata/RHSA-2019:0818


Note You need to log in before you can comment on or make changes to this bug.