https://bugzilla.redhat.com/show_bug.cgi?id=917012 : If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. https://bugzilla.redhat.com/show_bug.cgi?id=917013 : There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. https://bugzilla.redhat.com/show_bug.cgi?id=917017 : If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory.
Given that this is the kernel and it's been multiple years since it has been merged upstream (see links to redhat's bugzilla), isn't this one resolved?
(In reply to Agostino Sarubbo from comment #0) > https://bugzilla.redhat.com/show_bug.cgi?id=917012 : > > If the guest sets the GPA of the time_page so that the request to update the > time straddles a page then KVM will write onto an incorrect page. The > write is done byusing kmap atomic to get a pointer to the page for the time > structure and then performing a memcpy to that page starting at an offset > that the guest controls. Well behaved guests always provide a 32-byte > aligned > address, however a malicious guest could use this to corrupt host kernel > memory. > > > https://bugzilla.redhat.com/show_bug.cgi?id=917013 : > > There is a potential use after free issue with the handling of > MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable > memory such as frame buffers then KVM might continue to write to that > address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins > the page in memory so it's unlikely to cause an issue, but if the user > space component re-purposes the memory previously used for the guest, then > the guest will be able to corrupt that memory. > > > https://bugzilla.redhat.com/show_bug.cgi?id=917017 : > > If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows > that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate > that request. ioapic_read_indirect contains an > ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in > non-debug builds. In recent kernels this allows a guest to cause a kernel > oops by reading invalid memory. In older kernels (pre-3.3) this allows a > guest to read from large ranges of host memory. Fixes in 3.8.9.
