Bug 1965461 (CVE-2021-22543) - CVE-2021-22543 kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks
Summary: CVE-2021-22543 kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can b...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1973044 1973088 1975515 1975517 1994422 1965462 1973042 1973043 1973049 1973050 1973051 1973089 1973090 1973091 1975511 1975512 1975513 1975514 1975516 1975748 1975750 1975751 1975752 1975753 1975754 1975755 1975756 1975757 1975758 1975759 1975760 1975761 1975762 1975764 1975765 1975766 1975793 1975794
Blocks: 1965463
TreeView+ depends on / blocked
 
Reported: 2021-05-27 18:19 UTC by Pedro Sampaio
Modified: 2021-10-26 16:21 UTC (History)
61 users (show)

Fixed In Version: kernel 5.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s KVM implementation, where improper handing of the VM_IO|VM_PFNMAP VMAs in KVM bypasses RO checks and leads to pages being freed while still accessible by the VMM and guest. This flaw allows users who can start and control a VM to read/write random pages of memory, resulting in local privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.
Clone Of:
Environment:
Last Closed: 2021-08-10 13:28:48 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3127 0 None None None 2021-08-10 18:05:33 UTC
Red Hat Product Errata RHBA-2021:3136 0 None None None 2021-08-11 15:39:28 UTC
Red Hat Product Errata RHBA-2021:3474 0 None None None 2021-09-09 05:11:15 UTC
Red Hat Product Errata RHBA-2021:3475 0 None None None 2021-09-09 06:51:06 UTC
Red Hat Product Errata RHBA-2021:3847 0 None None None 2021-10-13 14:32:51 UTC
Red Hat Product Errata RHBA-2021:3862 0 None None None 2021-10-14 13:47:38 UTC
Red Hat Product Errata RHBA-2021:3867 0 None None None 2021-10-14 14:14:43 UTC
Red Hat Product Errata RHBA-2021:3898 0 None None None 2021-10-19 01:16:10 UTC
Red Hat Product Errata RHBA-2021:3911 0 None None None 2021-10-19 09:11:11 UTC
Red Hat Product Errata RHSA-2021:3044 0 None None None 2021-08-10 11:13:19 UTC
Red Hat Product Errata RHSA-2021:3057 0 None None None 2021-08-10 13:14:40 UTC
Red Hat Product Errata RHSA-2021:3088 0 None None None 2021-08-10 13:08:08 UTC
Red Hat Product Errata RHSA-2021:3173 0 None None None 2021-08-17 08:29:20 UTC
Red Hat Product Errata RHSA-2021:3181 0 None None None 2021-08-17 08:31:28 UTC
Red Hat Product Errata RHSA-2021:3235 0 None None None 2021-08-19 15:48:41 UTC
Red Hat Product Errata RHSA-2021:3363 0 None None None 2021-08-31 09:20:51 UTC
Red Hat Product Errata RHSA-2021:3375 0 None None None 2021-08-31 08:53:32 UTC
Red Hat Product Errata RHSA-2021:3380 0 None None None 2021-08-31 09:04:08 UTC
Red Hat Product Errata RHSA-2021:3725 0 None None None 2021-10-05 07:52:45 UTC
Red Hat Product Errata RHSA-2021:3766 0 None None None 2021-10-12 07:44:13 UTC
Red Hat Product Errata RHSA-2021:3767 0 None None None 2021-10-12 08:58:03 UTC
Red Hat Product Errata RHSA-2021:3768 0 None None None 2021-10-12 09:34:33 UTC
Red Hat Product Errata RHSA-2021:3801 0 None None None 2021-10-12 15:29:05 UTC
Red Hat Product Errata RHSA-2021:3802 0 None None None 2021-10-12 15:29:22 UTC
Red Hat Product Errata RHSA-2021:3812 0 None None None 2021-10-12 15:04:46 UTC
Red Hat Product Errata RHSA-2021:3814 0 None None None 2021-10-12 15:05:16 UTC
Red Hat Product Errata RHSA-2021:3943 0 None None None 2021-10-20 09:52:45 UTC
Red Hat Product Errata RHSA-2021:3987 0 None None None 2021-10-26 07:38:04 UTC
Red Hat Product Errata RHSA-2021:4000 0 None None None 2021-10-26 16:21:04 UTC
Red Hat Product Errata RHSA-2021:81932 0 None None None 2021-10-12 07:24:30 UTC

Description Pedro Sampaio 2021-05-27 18:19:53 UTC
An issue was discovered in the Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.

References:

https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584
http://www.openwall.com/lists/oss-security/2021/05/26/3
http://www.openwall.com/lists/oss-security/2021/05/26/4
http://www.openwall.com/lists/oss-security/2021/05/26/5

Comment 1 Pedro Sampaio 2021-05-27 18:20:44 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1965462]

Comment 9 Mauro Matteo Cascella 2021-06-22 10:43:57 UTC
Upstream fix aiming to address the first PoC from google advisory (vvar_write.c):
https://github.com/torvalds/linux/commit/bd2fae8d
https://github.com/torvalds/linux/commit/a9545779

Note that the second PoC (kernel_write.c) is still being worked on, see https://seclists.org/oss-sec/2021/q2/169.

Comment 21 Mauro Matteo Cascella 2021-06-28 07:54:49 UTC
Upstream fix:
https://github.com/torvalds/linux/commit/f8be156be163a052a067306417cd0ff679068c97

Comment 22 errata-xmlrpc 2021-08-10 11:13:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3044 https://access.redhat.com/errata/RHSA-2021:3044

Comment 23 errata-xmlrpc 2021-08-10 13:08:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3088 https://access.redhat.com/errata/RHSA-2021:3088

Comment 24 errata-xmlrpc 2021-08-10 13:14:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3057 https://access.redhat.com/errata/RHSA-2021:3057

Comment 25 Product Security DevOps Team 2021-08-10 13:28:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22543

Comment 26 errata-xmlrpc 2021-08-17 08:29:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3173 https://access.redhat.com/errata/RHSA-2021:3173

Comment 27 errata-xmlrpc 2021-08-17 08:31:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3181 https://access.redhat.com/errata/RHSA-2021:3181

Comment 29 errata-xmlrpc 2021-08-19 15:48:38 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:3235 https://access.redhat.com/errata/RHSA-2021:3235

Comment 30 errata-xmlrpc 2021-08-31 08:53:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3375 https://access.redhat.com/errata/RHSA-2021:3375

Comment 31 errata-xmlrpc 2021-08-31 09:04:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3380 https://access.redhat.com/errata/RHSA-2021:3380

Comment 32 errata-xmlrpc 2021-08-31 09:20:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3363 https://access.redhat.com/errata/RHSA-2021:3363

Comment 33 errata-xmlrpc 2021-10-05 07:52:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2021:3725 https://access.redhat.com/errata/RHSA-2021:3725

Comment 34 errata-xmlrpc 2021-10-12 07:24:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:81932 https://access.redhat.com/errata/RHSA-2021:81932

Comment 35 errata-xmlrpc 2021-10-12 07:44:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:3766 https://access.redhat.com/errata/RHSA-2021:3766

Comment 36 errata-xmlrpc 2021-10-12 09:34:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3768 https://access.redhat.com/errata/RHSA-2021:3768

Comment 37 errata-xmlrpc 2021-10-12 15:04:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:3812 https://access.redhat.com/errata/RHSA-2021:3812

Comment 38 errata-xmlrpc 2021-10-12 15:05:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2021:3814 https://access.redhat.com/errata/RHSA-2021:3814

Comment 39 errata-xmlrpc 2021-10-12 15:29:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3801 https://access.redhat.com/errata/RHSA-2021:3801

Comment 40 errata-xmlrpc 2021-10-12 15:29:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3802 https://access.redhat.com/errata/RHSA-2021:3802

Comment 42 errata-xmlrpc 2021-10-20 09:52:41 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:3943 https://access.redhat.com/errata/RHSA-2021:3943

Comment 43 errata-xmlrpc 2021-10-26 07:38:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2021:3987 https://access.redhat.com/errata/RHSA-2021:3987

Comment 44 errata-xmlrpc 2021-10-26 16:20:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2021:4000 https://access.redhat.com/errata/RHSA-2021:4000


Note You need to log in before you can comment on or make changes to this bug.