mbox series

[0/1,SRU,B/C] CVE-2018-16882 - Nested KVM DoS

Message ID 1547074093-6066-1-git-send-email-tyhicks@canonical.com
Headers show
Series CVE-2018-16882 - Nested KVM DoS | expand

Message

Tyler Hicks Jan. 9, 2019, 10:48 p.m. UTC 
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16882.html

 A use after free issue was found in the way Linux kernel's KVM hypervisor
 processed posted interrupts, when nested(=1) virtualization is enabled. In
 nested_get_vmcs12_pages(), in case of an error while processing posted
 interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc'
 descriptor address. Which is latter used in pi_test_and_clear_on(). A guest
 user/process could use this flaw to crash the host kernel resulting in DoS.

This is a clean cherry pick to Bionic and Cosmic. Disco already has the patch
applied. I've smoke tested this patch by booting nested KVM instances using,
both, the Bionic and Cosmic kernels.

Tyler

Comments

Kleber Sacilotto de Souza Jan. 10, 2019, 3:10 p.m. UTC | #1 
On 1/9/19 11:48 PM, Tyler Hicks wrote:
> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16882.html
>
>  A use after free issue was found in the way Linux kernel's KVM hypervisor
>  processed posted interrupts, when nested(=1) virtualization is enabled. In
>  nested_get_vmcs12_pages(), in case of an error while processing posted
>  interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc'
>  descriptor address. Which is latter used in pi_test_and_clear_on(). A guest
>  user/process could use this flaw to crash the host kernel resulting in DoS.
>
> This is a clean cherry pick to Bionic and Cosmic. Disco already has the patch
> applied. I've smoke tested this patch by booting nested KVM instances using,
> both, the Bionic and Cosmic kernels.
>
> Tyler
>
>
Applied to bionic/master-next and cosmic/master-next branches.

Thanks,
Kleber