Bug 866288 (CVE-2014-0049) - VUL-0: CVE-2014-0049: kernel: kvm: guest to host code execution
Summary: VUL-0: CVE-2014-0049: kernel: kvm: guest to host code execution
Status: RESOLVED FIXED
Alias: CVE-2014-0049
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P3 - Medium : Major
Target Milestone: ---
Assignee: Bruce Rogers
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-28 13:20 UTC by Marcus Meissner
Modified: 2016-05-24 11:10 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2014-02-28 13:21:11 UTC 
CVE-2014-0049.patch
The problem occurs when the guest performs a pusha with the stack
address pointing to an mmio address (or an invalid guest physical
address) to start with, but then extending into an ordinary guest
physical address.  When doing repeated emulated pushes
emulator_read_write sets mmio_needed to 1 on the first one.  On a
later push when the stack points to regular memory,
mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0.

As a result, KVM exits to userspace, and then returns to
complete_emulated_mmio.  In complete_emulated_mmio
vcpu->mmio_cur_fragment is incremented.  The termination condition of
vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved.
The code bounces back and fourth to userspace incrementing
mmio_cur_fragment past it's buffer.  If the guest does nothing else it
eventually leads to a a crash on a memcpy from invalid memory address.

However if a guest code can cause the vm to be destoryed in another
vcpu with excellent timing, then kvm_clear_async_pf_completion_queue
can be used by the guest to control the data that's pointed to by the
call to cancel_work_item, which can be used to gain execution.

This bug was introduced by f78146b0f.
Comment 2 Marcus Meissner 2014-02-28 13:21:38 UTC 
Created attachment 580533 [details]
CVE-2014-0049.patch

proposed patch
Comment 5 Marcus Meissner 2014-02-28 14:48:17 UTC 
complete_emulated_mmio does not seem to appear in SLES 11 SP3 or olders.

The referenced breakage patch is also from 2012, so we probably do not have it in 3.0.x-
Comment 6 Bruce Rogers 2014-02-28 16:30:28 UTC 
(In reply to comment #5)
> complete_emulated_mmio does not seem to appear in SLES 11 SP3 or olders.
> 
> The referenced breakage patch is also from 2012, so we probably do not have it
> in 3.0.x-

I've looked and we do not have this breakage in SLES 11 SP3 or older.

Currently openSUSE 12.3 and openSUSE 13.1 are affected, as well as the
pre-releases of SLES 12.

I assume we're ok waiting for this fix to appear in the stable 3.12 updates,
and get incorporated into SLE 12 that way.

For the two openSUSE releases, I can work to get the fix into their kernels.
Marcus, you might have better visibility into what is going on with the CRD, so
I'll wait for your input as to when to push the fix out to these two openSUSE
releases.
Comment 7 Swamp Workflow Management 2014-02-28 23:00:23 UTC 
bugbot adjusting priority
Comment 8 Marcus Meissner 2014-03-03 12:43:41 UTC 
issue is now public btw, so feel free to commit
Comment 9 Marcus Meissner 2016-05-24 11:10:22 UTC 
is in patches.kernel.org/patch-3.12.13-14

so we had it fixed pre-SLE12 GA shipment.

13.1 has also moved to a 3.12.later kernel, so is also fixed.