Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 3 Mar 2014 10:38:50 +0100
From: Petr Matousek <>
Cc: Paolo Bonzini <>, gleb <>,
        Lars Bull <>, Andrew Honig <>
Subject: CVE-2014-0049 -- Linux kernel: kvm: mmio_fragments out-of-the-bounds

The problem occurs when the guest performs a pusha with the stack
pointing to an mmio address (or an invalid guest physical address) to
start with, but then extending into an ordinary guest physical address.
When doing repeated emulated pushes emulator_read_write sets mmio_needed
to 1 on the first one.  On a later push when the stack points to regular
memory, mmio_nr_fragments is set to 0, but mmio_is_needed is not set
to 0.

As a result, KVM exits to userspace, and then returns to
complete_emulated_mmio.  In complete_emulated_mmio
vcpu->mmio_cur_fragment is incremented.  The termination condition of
vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved.
The code bounces back and fourth to userspace incrementing
mmio_cur_fragment past it's buffer.  If the guest does nothing else it
eventually leads to a a crash on a memcpy from invalid memory address.

However if a guest code can cause the vm to be destoryed in another
vcpu with excellent timing, then kvm_clear_async_pf_completion_queue
can be used by the guest to control the data that's pointed to by the
call to cancel_work_item, which can be used to gain execution.

Introduced by:

Upstream patch:


Red Hat would like to thank Lars Bull of Google for reporting this

Petr Matousek / Red Hat Security Response Team
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.