CVE-2014-0049 kvm: mmio_fragments out-of-bounds access (rhbz 1062368 1071837)
This commit is contained in:
parent
6162a001a7
commit
c6303f2525
|
@ -767,6 +767,9 @@ Patch25025: usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch
|
|||
#CVE-2014-0102 rhbz 1071396
|
||||
Patch25026: keyring-fix.patch
|
||||
|
||||
#CVE-2014-0049 rhbz 1062368 1071837
|
||||
Patch25027: kvm-x86-fix-emulator-buffer-overflow.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1490,6 +1493,9 @@ ApplyPatch usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch
|
|||
#CVE-2014-0102 rhbz 1071396
|
||||
ApplyPatch keyring-fix.patch
|
||||
|
||||
#CVE-2014-0049 rhbz 1062368 1071837
|
||||
ApplyPatch kvm-x86-fix-emulator-buffer-overflow.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2301,6 +2307,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Mon Mar 03 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-0049 kvm: mmio_fragments out-of-bounds access (rhbz 1062368 1071837)
|
||||
|
||||
* Fri Feb 28 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-0102 keyctl_link can be used to cause an oops (rhbz 1071396)
|
||||
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
Bugzilla: 1071837
|
||||
Upstream-status: 3.14
|
||||
|
||||
From a08d3b3b99efd509133946056531cdf8f3a0c09b Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Honig <ahonig@google.com>
|
||||
Date: Thu, 27 Feb 2014 18:35:14 +0000
|
||||
Subject: kvm: x86: fix emulator buffer overflow (CVE-2014-0049)
|
||||
|
||||
The problem occurs when the guest performs a pusha with the stack
|
||||
address pointing to an mmio address (or an invalid guest physical
|
||||
address) to start with, but then extending into an ordinary guest
|
||||
physical address. When doing repeated emulated pushes
|
||||
emulator_read_write sets mmio_needed to 1 on the first one. On a
|
||||
later push when the stack points to regular memory,
|
||||
mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0.
|
||||
|
||||
As a result, KVM exits to userspace, and then returns to
|
||||
complete_emulated_mmio. In complete_emulated_mmio
|
||||
vcpu->mmio_cur_fragment is incremented. The termination condition of
|
||||
vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved.
|
||||
The code bounces back and fourth to userspace incrementing
|
||||
mmio_cur_fragment past it's buffer. If the guest does nothing else it
|
||||
eventually leads to a a crash on a memcpy from invalid memory address.
|
||||
|
||||
However if a guest code can cause the vm to be destroyed in another
|
||||
vcpu with excellent timing, then kvm_clear_async_pf_completion_queue
|
||||
can be used by the guest to control the data that's pointed to by the
|
||||
call to cancel_work_item, which can be used to gain execution.
|
||||
|
||||
Fixes: f78146b0f9230765c6315b2e14f56112513389ad
|
||||
Signed-off-by: Andrew Honig <ahonig@google.com>
|
||||
Cc: stable@vger.kernel.org (3.5+)
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
|
||||
index 39c28f09..2b85784 100644
|
||||
--- a/arch/x86/kvm/x86.c
|
||||
+++ b/arch/x86/kvm/x86.c
|
||||
@@ -6186,7 +6186,7 @@ static int complete_emulated_mmio(struct kvm_vcpu *vcpu)
|
||||
frag->len -= len;
|
||||
}
|
||||
|
||||
- if (vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments) {
|
||||
+ if (vcpu->mmio_cur_fragment >= vcpu->mmio_nr_fragments) {
|
||||
vcpu->mmio_needed = 0;
|
||||
|
||||
/* FIXME: return into emulator if single-stepping. */
|
||||
--
|
||||
cgit v0.9.2
|
Loading…
Reference in New Issue