Bug 1965461 (CVE-2021-22543) - CVE-2021-22543 kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks
Summary: CVE-2021-22543 kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can b...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1973088 1965462 1973042 1973043 1973044 1973049 1973050 1973051 1973089 1973090 1973091 1975511 1975512 1975513 1975514 1975515 1975516 1975517 1975748 1975750 1975751 1975752 1975753 1975754 1975755 1975756 1975757 1975758 1975759 1975760 1975761 1975762 1975764 1975765 1975766 1975793 1975794 1994422
Blocks: 1965463
TreeView+ depends on / blocked
 
Reported: 2021-05-27 18:19 UTC by Pedro Sampaio
Modified: 2022-07-19 16:23 UTC (History)
61 users (show)

Fixed In Version: kernel 5.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s KVM implementation, where improper handing of the VM_IO|VM_PFNMAP VMAs in KVM bypasses RO checks and leads to pages being freed while still accessible by the VMM and guest. This flaw allows users who can start and control a VM to read/write random pages of memory, resulting in local privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.
Clone Of:
Environment:
Last Closed: 2021-08-10 13:28:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3127 0 None None None 2021-08-10 18:05:33 UTC
Red Hat Product Errata RHBA-2021:3136 0 None None None 2021-08-11 15:39:28 UTC
Red Hat Product Errata RHBA-2021:3474 0 None None None 2021-09-09 05:11:15 UTC
Red Hat Product Errata RHBA-2021:3475 0 None None None 2021-09-09 06:51:06 UTC
Red Hat Product Errata RHBA-2021:3847 0 None None None 2021-10-13 14:32:51 UTC
Red Hat Product Errata RHBA-2021:3862 0 None None None 2021-10-14 13:47:38 UTC
Red Hat Product Errata RHBA-2021:3867 0 None None None 2021-10-14 14:14:43 UTC
Red Hat Product Errata RHBA-2021:3898 0 None Waiting on Customer [rfe] Service Telemetry Framework in a disconnected environment Deployment 2022-06-02 15:17:53 UTC
Red Hat Product Errata RHBA-2021:3911 0 None None None 2021-10-19 09:11:11 UTC
Red Hat Product Errata RHSA-2021:3044 0 None None None 2021-08-10 11:13:19 UTC
Red Hat Product Errata RHSA-2021:3057 0 None None None 2021-08-10 13:14:40 UTC
Red Hat Product Errata RHSA-2021:3088 0 None None None 2021-08-10 13:08:08 UTC
Red Hat Product Errata RHSA-2021:3173 0 None None None 2021-08-17 08:29:20 UTC
Red Hat Product Errata RHSA-2021:3181 0 None None None 2021-08-17 08:31:28 UTC
Red Hat Product Errata RHSA-2021:3235 0 None None None 2021-08-19 15:48:41 UTC
Red Hat Product Errata RHSA-2021:3363 0 None None None 2021-08-31 09:20:51 UTC
Red Hat Product Errata RHSA-2021:3375 0 None None None 2021-08-31 08:53:32 UTC
Red Hat Product Errata RHSA-2021:3380 0 None None None 2021-08-31 09:04:08 UTC
Red Hat Product Errata RHSA-2021:3725 0 None None None 2021-10-05 07:52:45 UTC
Red Hat Product Errata RHSA-2021:3766 0 None None None 2021-10-12 07:44:13 UTC
Red Hat Product Errata RHSA-2021:3767 0 None None None 2021-10-12 08:58:03 UTC
Red Hat Product Errata RHSA-2021:3768 0 None None None 2021-10-12 09:34:33 UTC
Red Hat Product Errata RHSA-2021:3801 0 None None None 2021-10-12 15:29:05 UTC
Red Hat Product Errata RHSA-2021:3802 0 None None None 2021-10-12 15:29:22 UTC
Red Hat Product Errata RHSA-2021:3812 0 None None None 2021-10-12 15:04:46 UTC
Red Hat Product Errata RHSA-2021:3814 0 None None None 2021-10-12 15:05:16 UTC
Red Hat Product Errata RHSA-2021:3943 0 None None None 2021-10-20 09:52:45 UTC
Red Hat Product Errata RHSA-2021:3987 0 None None None 2021-10-26 07:38:04 UTC
Red Hat Product Errata RHSA-2021:4000 0 None None None 2021-10-26 16:21:04 UTC
Red Hat Product Errata RHSA-2021:81932 0 None None None 2021-10-12 07:24:30 UTC
Red Hat Product Errata RHSA-2022:5640 0 None None None 2022-07-19 16:23:27 UTC

Description Pedro Sampaio 2021-05-27 18:19:53 UTC 
An issue was discovered in the Linux: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allows users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation.

References:

https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584
http://www.openwall.com/lists/oss-security/2021/05/26/3
http://www.openwall.com/lists/oss-security/2021/05/26/4
http://www.openwall.com/lists/oss-security/2021/05/26/5
Comment 1 Pedro Sampaio 2021-05-27 18:20:44 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1965462]
Comment 9 Mauro Matteo Cascella 2021-06-22 10:43:57 UTC 
Upstream fix aiming to address the first PoC from google advisory (vvar_write.c):
https://github.com/torvalds/linux/commit/bd2fae8d
https://github.com/torvalds/linux/commit/a9545779

Note that the second PoC (kernel_write.c) is still being worked on, see https://seclists.org/oss-sec/2021/q2/169.
Comment 21 Mauro Matteo Cascella 2021-06-28 07:54:49 UTC 
Upstream fix:
https://github.com/torvalds/linux/commit/f8be156be163a052a067306417cd0ff679068c97
Comment 22 errata-xmlrpc 2021-08-10 11:13:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3044 https://access.redhat.com/errata/RHSA-2021:3044
Comment 23 errata-xmlrpc 2021-08-10 13:08:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3088 https://access.redhat.com/errata/RHSA-2021:3088
Comment 24 errata-xmlrpc 2021-08-10 13:14:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3057 https://access.redhat.com/errata/RHSA-2021:3057
Comment 25 Product Security DevOps Team 2021-08-10 13:28:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22543
Comment 26 errata-xmlrpc 2021-08-17 08:29:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3173 https://access.redhat.com/errata/RHSA-2021:3173
Comment 27 errata-xmlrpc 2021-08-17 08:31:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3181 https://access.redhat.com/errata/RHSA-2021:3181
Comment 29 errata-xmlrpc 2021-08-19 15:48:38 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:3235 https://access.redhat.com/errata/RHSA-2021:3235
Comment 30 errata-xmlrpc 2021-08-31 08:53:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3375 https://access.redhat.com/errata/RHSA-2021:3375
Comment 31 errata-xmlrpc 2021-08-31 09:04:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3380 https://access.redhat.com/errata/RHSA-2021:3380
Comment 32 errata-xmlrpc 2021-08-31 09:20:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3363 https://access.redhat.com/errata/RHSA-2021:3363
Comment 33 errata-xmlrpc 2021-10-05 07:52:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2021:3725 https://access.redhat.com/errata/RHSA-2021:3725
Comment 34 errata-xmlrpc 2021-10-12 07:24:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:81932 https://access.redhat.com/errata/RHSA-2021:81932
Comment 35 errata-xmlrpc 2021-10-12 07:44:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:3766 https://access.redhat.com/errata/RHSA-2021:3766
Comment 36 errata-xmlrpc 2021-10-12 09:34:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3768 https://access.redhat.com/errata/RHSA-2021:3768
Comment 37 errata-xmlrpc 2021-10-12 15:04:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:3812 https://access.redhat.com/errata/RHSA-2021:3812
Comment 38 errata-xmlrpc 2021-10-12 15:05:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2021:3814 https://access.redhat.com/errata/RHSA-2021:3814
Comment 39 errata-xmlrpc 2021-10-12 15:29:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3801 https://access.redhat.com/errata/RHSA-2021:3801
Comment 40 errata-xmlrpc 2021-10-12 15:29:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3802 https://access.redhat.com/errata/RHSA-2021:3802
Comment 42 errata-xmlrpc 2021-10-20 09:52:41 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:3943 https://access.redhat.com/errata/RHSA-2021:3943
Comment 43 errata-xmlrpc 2021-10-26 07:38:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2021:3987 https://access.redhat.com/errata/RHSA-2021:3987
Comment 44 errata-xmlrpc 2021-10-26 16:20:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2021:4000 https://access.redhat.com/errata/RHSA-2021:4000
Comment 45 errata-xmlrpc 2022-07-19 16:23:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:5640 https://access.redhat.com/errata/RHSA-2022:5640
Note You need to log in before you can comment on or make changes to this bug.