|
Message-ID: <545177FF.4050901@amacapital.net>
Date: Wed, 29 Oct 2014 16:27:59 -0700
From: Andy Lutomirski <luto@...capital.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-3690: KVM DoS triggerable by malicious host userspace
On 10/21/2014 01:48 PM, Andy Lutomirski wrote:
> [sorry for somewhat late notice -- I didn't notice that the patch was
> public until just now]
>
> KVM has a bug that allows malicious host user code that can open the
> /dev/kvm device on a VMX (Intel) machine to DoS the system. (In my
> proof of concept, the DoS is a rather spectacular failure of the whole
> system, although I haven't checked whether the kernel panics. A more
> refined exploit *might* be able to kill targetted user processes, but
> it would be tricky and is subject to possibly unavoidable races that
> are likely to take down the whole system.)
>
> This is *not* triggerable by a guest, although a guest that can
> compromise its host QEMU could use this bug to take down everything
> else running on the host.
>
> I would guess that all kernels that support VMX are vulnerable, but I
> haven't tested old kernels.
>
> The fix is here:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d974baa398f34393db76be45f7d4d04fbdbb4a0a
>
> PoC available upon request, and I'll post it publicly in a few days,
> because it's kind of fun to watch the fireworks.
>
> --Andy
>
As promised, here's the exploit.
I didn't really feel like writing a self-contained test case to
initialize a KVM vCPU, so I turned QEMU into an exploit instead. Apply
the attached patch to QEMU, build it, and run it (qemu-system-x86_64
-machine accel=kvm).
--Andy
View attachment "0001-Evil-QEMU-hack-to-exploit-a-KVM-CR4-bug.patch" of type "text/x-patch" (1792 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.