Bug 828015 (CVE-2013-1935) - VUL-1: CVE-2013-1935: kernel: kvm: pv_eoi guest updates with interrupts disabled
Summary: VUL-1: CVE-2013-1935: kernel: kvm: pv_eoi guest updates with interrupts disabled
Status: RESOLVED FIXED
Alias: CVE-2013-1935
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Bruce Rogers
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-03 15:53 UTC by Marcus Meissner
Modified: 2015-03-05 16:29 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-03 15:53:41 UTC 
is public, via RH bugzilla

CVE-2013-1935

https://bugzilla.redhat.com/show_bug.cgi?id=949981

A bug has been found in the way guest pv_eoi updates were handled before entering the guests. Upon synchronizing LAPIC to the guest's VAPIC,  kvm_write_guest_cached() (and thus copy_to_user()) could be called with interrupts disabled.

A local unprivileged user in the guest could potentially use this flaw to crash the host.
Comment 1 Marcus Meissner 2013-07-03 15:54:21 UTC 
(I have a hard time identifying the fix in mainline kernel. other references of that CVE were so far not helpful)
Comment 2 Swamp Workflow Management 2013-07-03 22:00:48 UTC 
bugbot adjusting priority
Comment 3 Bruce Rogers 2013-07-08 20:59:52 UTC 
Neither SLE11 SP2 nor SLE11 SP3 are affected, since PV EOI support is not present in the kernels of either of those releases.

The only openSUSE release affected would be 12.3, since the PV EOI code was added in v3.6 and 12.3 has v3.7, and the security issue was discovered well after that kernel release.

I too am having an issue identifying the fix. Still working on it...
Comment 4 Marcus Meissner 2015-03-05 16:29:38 UTC 
as 12.3 is EOLed, I think we can close now.