Bug 462468 (CVE-2013-1796)

Summary:	Kernel : kvm: multiple vulnerabilities (CVE-2013-{1796,1797,1798})
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Kernel	Assignee:	Gentoo Kernel Security <security-kernel>
Status:	RESOLVED FIXED
Severity:	normal	CC:	eric-f.garioud, kernel
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2013-03-20 11:09:59 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=917012 :

If the guest sets the GPA of the time_page so that the request to update the 
time straddles a page then KVM will write onto an incorrect page.  The
write is done byusing kmap atomic to get a pointer to the page for the time
structure and then performing a memcpy to that page starting at an offset
that the guest controls.  Well behaved guests always provide a 32-byte aligned
address, however a malicious guest could use this to corrupt host kernel
memory.


https://bugzilla.redhat.com/show_bug.cgi?id=917013 :

There is a potential use after free issue with the handling of
MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
memory such as frame buffers then KVM might continue to write to that
address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
the page in memory so it's unlikely to cause an issue, but if the user
space component re-purposes the memory previously used for the guest, then
the guest will be able to corrupt that memory.


https://bugzilla.redhat.com/show_bug.cgi?id=917017 :

If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
that request.  ioapic_read_indirect contains an
ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
non-debug builds.  In recent kernels this allows a guest to cause a kernel
oops by reading invalid memory.  In older kernels (pre-3.3) this allows a
guest to read from large ranges of host memory.

Comment 1 Haelwenn (lanodan) Monnier 2019-12-06 21:41:49 UTC

Given that this is the kernel and it's been multiple years since it has been merged upstream (see links to redhat's bugzilla), isn't this one resolved?

Comment 2 John Helmert III archtester

2022-03-25 15:09:54 UTC

(In reply to Agostino Sarubbo from comment #0)
> https://bugzilla.redhat.com/show_bug.cgi?id=917012 :
> 
> If the guest sets the GPA of the time_page so that the request to update the 
> time straddles a page then KVM will write onto an incorrect page.  The
> write is done byusing kmap atomic to get a pointer to the page for the time
> structure and then performing a memcpy to that page starting at an offset
> that the guest controls.  Well behaved guests always provide a 32-byte
> aligned
> address, however a malicious guest could use this to corrupt host kernel
> memory.
> 
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=917013 :
> 
> There is a potential use after free issue with the handling of
> MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
> memory such as frame buffers then KVM might continue to write to that
> address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
> the page in memory so it's unlikely to cause an issue, but if the user
> space component re-purposes the memory previously used for the guest, then
> the guest will be able to corrupt that memory.
> 
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=917017 :
> 
> If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows
> that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate
> that request.  ioapic_read_indirect contains an
> ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in
> non-debug builds.  In recent kernels this allows a guest to cause a kernel
> oops by reading invalid memory.  In older kernels (pre-3.3) this allows a
> guest to read from large ranges of host memory.

Fixes in 3.8.9.