1062368 – (CVE-2014-0049) CVE-2014-0049 kernel: kvm: mmio_fragments out-of-the-bounds access

Bug 1062368 (CVE-2014-0049) - CVE-2014-0049 kernel: kvm: mmio_fragments out-of-the-bounds access

Summary: CVE-2014-0049 kernel: kvm: mmio_fragments out-of-the-bounds access

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2014-0049
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1071836 1071837
Blocks:	1062369
TreeView+	depends on / blocked

Reported:	2014-02-06 18:09 UTC by Petr Matousek
Modified:	2023-05-12 02:10 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-02-06 18:13:55 UTC
Embargoed:

Attachments	(Terms of Use)

Description Petr Matousek 2014-02-06 18:09:54 UTC

The problem occurs when the guest performs a pusha with the stack address
pointing to an mmio address (or an invalid guest physical address) to
start with, but then extending into an ordinary guest physical address.
When doing repeated emulated pushes emulator_read_write sets mmio_needed
to 1 on the first one.  On a later push when the stack points to regular
memory, mmio_nr_fragments is set to 0, but mmio_is_needed is not set
to 0.

As a result, KVM exits to userspace, and then returns to
complete_emulated_mmio.  In complete_emulated_mmio
vcpu->mmio_cur_fragment is incremented.  The termination condition of
vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved.
The code bounces back and fourth to userspace incrementing
mmio_cur_fragment past it's buffer.  If the guest does nothing else it
eventually leads to a a crash on a memcpy from invalid memory address.

However if a guest code can cause the vm to be destoryed in another
vcpu with excellent timing, then kvm_clear_async_pf_completion_queue
can be used by the guest to control the data that's pointed to by the
call to cancel_work_item, which can be used to gain execution.

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f78146b0f

Acknowledgements:

Red Hat would like to thank Lars Bull of Google for reporting this issue.

Comment 1 Petr Matousek 2014-02-06 18:13:55 UTC

Statement:

Not vulnerable.

This issue did not affect the versions of kvm package as shipped with Red
Hat Enterprise Linux 5 as they did not backport the upstream kvm commit
that introduced this issue.

This issue did not affect the versions of Linux kernel as shipped Red Hat
Enterprise Linux 6 as they did not backport the upstream kvm commit that
introduced this issue.

This issue did not affect the versions of Linux kernel as shipped Red Hat
Enterprise MRG as they did not provide support for the KVM subsystem.

Comment 2 Petr Matousek 2014-03-03 09:28:36 UTC

Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a08d3b3b99efd509133946056531cdf8f3a0c09b

Comment 4 Petr Matousek 2014-03-03 09:34:07 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1071837]

Comment 5 Fedora Update System 2014-03-06 08:09:42 UTC

kernel-3.13.5-202.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-03-09 04:38:20 UTC

kernel-3.13.5-103.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.