Re: CVE-2018-16882 Kernel: KVM: nVMX: use after free in posted interrupt processing

[Alex Gaynor <alex.gaynor () gmail com>]

Can you say more about why this is only a DoS? The commit message sounds
(to someone with little domain expertise in KVM) like a fairly traditional
pattern for an exploitable for code exec uaf.

Cheers,
Alex

On Tue, Dec 18, 2018, 2:16 PM P J P <ppandit () redhat com wrote:

>    Hello,
>
> A use after free issue was found in the way Linux kernel's KVM hypervisor
> processed posted interrupts, when nested(=1) virtualization is enabled. In
> nested_get_vmcs12_pages(), in case of an error while processing posted
> interrupt address, it unmaps the 'pi_desc_page' without resetting
> 'pi_desc'
> descriptor address. Which is latter used in pi_test_and_clear_on().
>
> A guest user/process could use this flaw to crash the host kernel
> resulting in
> DoS.
>
> Upstream patch:
> ---------------
>    -> https://marc.info/?l=kvm&m=154514994222809&w=2
>
> This issue was reported by Cfir Cohen of google.com.
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F