Bug 1950136 (CVE-2021-3501) - CVE-2021-3501 kernel: userspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32 GB from vcpu->run
Summary: CVE-2021-3501 kernel: userspace applications can misuse the KVM API to cause ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3501
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1954219 1954229 1954218 1954221 1954224 1954230 1954240 1954241 1970758
Blocks: 1949610 1950139
TreeView+ depends on / blocked
 
Reported: 2021-04-15 20:21 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-22 15:27 UTC (History)
63 users (show)

Fixed In Version: kernel 5.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.
Clone Of:
Environment:
Last Closed: 2021-06-01 11:32:01 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2522 0 None None None 2021-06-22 15:27:25 UTC

Description Guilherme de Almeida Suckevicz 2021-04-15 20:21:03 UTC
A flaw was found in the Linux kernel. The value of internal.ndata, in the KVM API, is mapped to an array index, which can be updated by a user process at anytime which could lead to an out-of-bounds write. The highest threat from this vulnerability is to data integrity and system availability.

__vmx_handle_exit() uses vcpu->run->internal.ndata, whose value is mapped to an array index and since vcpu->run can be updated in userspace, it allows a out-of-bounds write.

Reference and upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04c4f2ee3f68c9a4bf1653d15f1a9a435ae33f7a

Comment 8 Rohit Keshri 2021-04-27 18:53:24 UTC
Statement:

This issue affected Linux kernel versions as shipped with Red Hat Enterprise Linux 8 starting with RHEL-8.4.0 and onward kernel version.

Comment 9 Rohit Keshri 2021-04-27 18:53:26 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 11 Rohit Keshri 2021-04-27 18:59:01 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1954240]

Comment 12 Rohit Keshri 2021-04-27 18:59:28 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1954241]

Comment 14 Justin M. Forbes 2021-04-28 14:39:20 UTC
This was fixed for Fedora with the 5.11.16 stable kernel updates.

Comment 15 Rohit Keshri 2021-04-29 04:14:44 UTC
Acknowledgments:

Name: Reiji Watanabe (Google)

Comment 27 errata-xmlrpc 2021-06-01 09:43:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2169 https://access.redhat.com/errata/RHSA-2021:2169

Comment 28 errata-xmlrpc 2021-06-01 10:43:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2165 https://access.redhat.com/errata/RHSA-2021:2165

Comment 29 errata-xmlrpc 2021-06-01 11:04:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2168 https://access.redhat.com/errata/RHSA-2021:2168

Comment 30 Product Security DevOps Team 2021-06-01 11:32:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3501

Comment 32 errata-xmlrpc 2021-06-22 14:55:02 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2522 https://access.redhat.com/errata/RHSA-2021:2522

Comment 33 errata-xmlrpc 2021-06-22 15:26:33 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:2522 https://access.redhat.com/errata/RHSA-2021:2522


Note You need to log in before you can comment on or make changes to this bug.