Description of the problem: If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Acknowledgements: Red Hat would like to thank Andrew Honig of Google for reporting this issue.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG as they did not provide support for the KVM subsystem.
Upstream fix: https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=a2c118bfab8bc6b8bb213abfc35201e441693d55
Created kernel tracking bugs for this issue Affects: fedora-all [bug 923968]
kernel-3.8.4-202.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0727 https://rhn.redhat.com/errata/RHSA-2013-0727.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0744 https://rhn.redhat.com/errata/RHSA-2013-0744.html
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:0746 https://rhn.redhat.com/errata/RHSA-2013-0746.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.3 EUS - Server Only Via RHSA-2013:0928 https://rhn.redhat.com/errata/RHSA-2013-0928.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.2 EUS - Server Only Via RHSA-2013:1026 https://rhn.redhat.com/errata/RHSA-2013-1026.html