Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALCETrXLM_-4g3SzJd5kcMuHji5j3WLmybMiOxLaH87WL=zRTA@mail.gmail.com>
Date: Tue, 21 Oct 2014 13:48:03 -0700
From: Andy Lutomirski <luto@...capital.net>
To: oss-security@...ts.openwall.com, Petr Matousek <pmatouse@...hat.com>
Subject: CVE-2014-3690: KVM DoS triggerable by malicious host userspace

[sorry for somewhat late notice -- I didn't notice that the patch was
public until just now]

KVM has a bug that allows malicious host user code that can open the
/dev/kvm device on a VMX (Intel) machine to DoS the system.  (In my
proof of concept, the DoS is a rather spectacular failure of the whole
system, although I haven't checked whether the kernel panics.  A more
refined exploit *might* be able to kill targetted user processes, but
it would be tricky and is subject to possibly unavoidable races that
are likely to take down the whole system.)

This is *not* triggerable by a guest, although a guest that can
compromise its host QEMU could use this bug to take down everything
else running on the host.

I would guess that all kernels that support VMX are vulnerable, but I
haven't tested old kernels.

The fix is here:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d974baa398f34393db76be45f7d4d04fbdbb4a0a

PoC available upon request, and I'll post it publicly in a few days,
because it's kind of fun to watch the fireworks.

--Andy

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.