Bug 1671913 (CVE-2019-6974) - CVE-2019-6974 Kernel: KVM: potential use-after-free via kvm_ioctl_create_device()
Summary: CVE-2019-6974 Kernel: KVM: potential use-after-free via kvm_ioctl_create_devi...
Status: NEW
Alias: CVE-2019-6974
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190207,repo...
Keywords: Security
Depends On: 1671922 1671923 1671924 1671925 1671926 1673843 1673844 1671915 1671916 1671917 1673681
Blocks: 1671898
TreeView+ depends on / blocked
 
Reported: 2019-02-02 06:11 UTC by Prasad J Pandit
Modified: 2019-03-06 00:23 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the way the Linux kernel's KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), the device holds a reference to a VM object, later this reference is transferred to the caller's file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service issue or, potentially, gain privileged access to a system.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Prasad J Pandit 2019-02-02 06:11:14 UTC
A use after free issue was found in the way Linux kernel's KVM hypervisor
implements its device control API. While creating a device via
kvm_ioctl_create_device(), device holds a reference to a VM object,
latter this reference is transferred to caller's file descriptor table.
If such file descriptor was to be closed, reference count to the VM
object could become zero, potentially leading to use-after-free
issue latter. 

A user/process could use this flaw to crash the guest VM resulting in
DoS issue OR potentially gain privileged access to a system.

Upstream patch:
---------------
  -> https://git.kernel.org/linus/cfa39381173d5f969daf43582c95ad679189cbc9

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/02/18/2

Comment 3 Prasad J Pandit 2019-02-06 07:13:37 UTC
Acknowledgments:

Name: Jann Horn (Google)

Comment 6 Prasad J Pandit 2019-02-07 11:03:10 UTC
Statement:

This issue does not affect the version of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.

This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 7. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue.

Comment 7 Prasad J Pandit 2019-02-07 18:55:11 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1673681]


Note You need to log in before you can comment on or make changes to this bug.