oss-sec mailing list archives
CVE-2014-3690: KVM DoS triggerable by malicious host userspace
From: Andy Lutomirski <luto () amacapital net>
Date: Tue, 21 Oct 2014 13:48:03 -0700
[sorry for somewhat late notice -- I didn't notice that the patch was public until just now] KVM has a bug that allows malicious host user code that can open the /dev/kvm device on a VMX (Intel) machine to DoS the system. (In my proof of concept, the DoS is a rather spectacular failure of the whole system, although I haven't checked whether the kernel panics. A more refined exploit *might* be able to kill targetted user processes, but it would be tricky and is subject to possibly unavoidable races that are likely to take down the whole system.) This is *not* triggerable by a guest, although a guest that can compromise its host QEMU could use this bug to take down everything else running on the host. I would guess that all kernels that support VMX are vulnerable, but I haven't tested old kernels. The fix is here: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d974baa398f34393db76be45f7d4d04fbdbb4a0a PoC available upon request, and I'll post it publicly in a few days, because it's kind of fun to watch the fireworks. --Andy
Current thread:
- CVE-2014-3690: KVM DoS triggerable by malicious host userspace Andy Lutomirski (Oct 21)
- Re: CVE-2014-3690: KVM DoS triggerable by malicious host userspace Andy Lutomirski (Oct 29)