A use after free issue was found in the way Linux kernel's KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), device holds a reference to a VM object, latter this reference is transferred to caller's file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to use-after-free issue latter. A user/process could use this flaw to crash the guest VM resulting in DoS issue OR potentially gain privileged access to a system. Upstream patch: --------------- -> https://git.kernel.org/linus/cfa39381173d5f969daf43582c95ad679189cbc9 Reference: ---------- -> https://www.openwall.com/lists/oss-security/2019/02/18/2
Acknowledgments: Name: Jann Horn (Google)
Statement: This issue does not affect the version of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2. This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 7. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1673681]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0833 https://access.redhat.com/errata/RHSA-2019:0833
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:0818 https://access.redhat.com/errata/RHSA-2019:0818
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2809 https://access.redhat.com/errata/RHSA-2019:2809
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:3967 https://access.redhat.com/errata/RHSA-2019:3967
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:0103 https://access.redhat.com/errata/RHSA-2020:0103