Description of the problem: If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Acknowledgements: Red Hat would like to thank Andrew Honig of Google for reporting this issue.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG as they did not provide support for the KVM subsystem.
Upstream fix: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=c300aa64ddf57d9c5d9c898a64b36877345dd4a9
Created kernel tracking bugs for this issue Affects: fedora-all [bug 923966]
kernel-3.8.4-202.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0727 https://rhn.redhat.com/errata/RHSA-2013-0727.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0744 https://rhn.redhat.com/errata/RHSA-2013-0744.html
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:0746 https://rhn.redhat.com/errata/RHSA-2013-0746.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.3 EUS - Server Only Via RHSA-2013:0928 https://rhn.redhat.com/errata/RHSA-2013-0928.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.2 EUS - Server Only Via RHSA-2013:1026 https://rhn.redhat.com/errata/RHSA-2013-1026.html