Jump to content
Nytro

[Doar Info] Linux Kernel kvm Multiple Vulns

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Linux Kernel kvm Multiple Vulns

* CVE-2013-1796

Description of the problem:

If the guest sets the GPA of the time_page so that the request to update

the time straddles a page then KVM will write onto an incorrect page.

Thewrite is done byusing kmap atomic to get a pointer to the page for

the time structure and then performing a memcpy to that page starting at

an offset that the guest controls. Well behaved guests always provide a

32-byte aligned address, however a malicious guest could use this to

corrupt host kernel memory.

Upstream commit:

https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=c300aa64ddf57d9c5d9c898a64b36877345dd4a9

References:

https://bugzilla.redhat.com/show_bug.cgi?id=917012

* CVE-2013-1797

Description of the problem:

There is a potential use after free issue with the handling of

MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or

removable memory such as frame buffers then KVM might continue to write

to that address even after it's removed via KVM_SET_USER_MEMORY_REGION.

KVM pins the page in memory so it's unlikely to cause an issue, but if

the user space component re-purposes the memory previously used for the

guest, then the guest will be able to corrupt that memory.

Upstream commit:

https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=0b79459b482e85cb7426aa7da683a9f2c97aeae1

References:

https://bugzilla.redhat.com/show_bug.cgi?id=917013

* CVE-2013-1798

Description of the problem:

If the guest specifies a IOAPIC_REG_SELECT with an invalid value and

follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly

validate that request. ioapic_read_indirect contains an

ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in

non-debug builds. In recent kernels this allows a guest to cause a

kernel oops by reading invalid memory. In older kernels (pre-3.3) this

allows a guest to read from large ranges of host memory.

Upstream commit:

https://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=a2c118bfab8bc6b8bb213abfc35201e441693d55

References:

https://bugzilla.redhat.com/show_bug.cgi?id=917017

All three issues were found and reported by Andrew Honig of Google.

pasek9.pngReferences:

https://bugzilla.redhat.com/show_bug.cgi?id=917012

https://bugzilla.redhat.com/show_bug.cgi?id=917013

https://bugzilla.redhat.com/show_bug.cgi?id=917017

http://seclists.org/oss-sec/2013/q1/702

Sursa: Linux Kernel kvm Multiple Vulns - CXSecurity.com

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...