oss-sec mailing list archives
Re: CVE-2018-16882 Kernel: KVM: nVMX: use after free in posted interrupt processing
From: Alex Gaynor <alex.gaynor () gmail com>
Date: Tue, 18 Dec 2018 14:24:08 -0500
Can you say more about why this is only a DoS? The commit message sounds (to someone with little domain expertise in KVM) like a fairly traditional pattern for an exploitable for code exec uaf. Cheers, Alex On Tue, Dec 18, 2018, 2:16 PM P J P <ppandit () redhat com wrote:
Hello, A use after free issue was found in the way Linux kernel's KVM hypervisor processed posted interrupts, when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address. Which is latter used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS. Upstream patch: --------------- -> https://marc.info/?l=kvm&m=154514994222809&w=2 This issue was reported by Cfir Cohen of google.com. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Current thread:
- CVE-2018-16882 Kernel: KVM: nVMX: use after free in posted interrupt processing P J P (Dec 18)
- Re: CVE-2018-16882 Kernel: KVM: nVMX: use after free in posted interrupt processing Alex Gaynor (Dec 18)