[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request -- kernel: kvm: device assignment page leak
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-04-19 15:36:23
Message-ID: 4F9030F7.4090105 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/19/2012 04:52 AM, Petr Matousek wrote:
> KVM uses memory slots to track and map guest regions of memory.
> When device assignment is used, the pages backing these slots are
> pinned in memory using get_user_pages and mapped into the iommu.
> The problem is that when a memory slot is destroyed the pages for
> the associated memory slot are neither unpinned nor unmapped from
> the iommu.
> 
> The problem is that those pages are now never unpinned and continue
> to have an increased reference count.  This is therefore a
> potential page leak from the kvm kernel module.
> 
> On Red Hat Enterprise Linux, local user with ability to assign
> devices could use this flaw to DoS the system.
> 
> With upstream qemu-kvm/kvm privileged guest user that could
> hotunplug and then hotplug back certain devices could potentially
> use this flaw to DoS the host.
> 
> Upstream fix: 
> http://git.kernel.org/?p=virt/kvm/kvm.git;a=commit;h=32f6daad4651a748a58a3ab6da0611862175722f
>
>  References: https://lkml.org/lkml/2012/4/11/248 
> https://bugzilla.redhat.com/show_bug.cgi?id=814149
> 
> Thanks,

Please use CVE-2012-2121 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPkDD3AAoJEBYNRVNeJnmTcgYP/2ubexk0a17sSaRyOV/o+ZUY
17YhJVMWWfoXeI0fIjxU/WI/E5eE0GjaZh8wcHzok+SPFiNo8brKberOhOy9YqDE
DMDT7fO0MTEBNx9szJP7Etjlz2yQVfDKUIyn5M6o9oviWxHDQkSA/hXPZ5RsxBL0
8MVWrVtLMKvNM05jJBSuu+NGiUv4NcHGHMYB6OTmzAdfYgKnSCTnk+cM2iXdmi/g
zYh3R7jdwN6EJvEVJFEFDTPY70g15wyQA4+uWBcR/tXb5q9gMMrAKE/JaBJRDe7I
uXeFVjbBlWz30c8s5mvScI3PkuUIDXw053lZBf/VpxPuJpTRTlA4ikORSUTrrF3t
lZFAkl2g5QzpVPjsSgZEDp6jHa/ZUNu8qVW2JX4NVcci3dOu/dvOFcppsXOHPVWv
firw9TtXQctDKMjjEB4FPdWJtd3oP3DAYwMFoEAUfcbRgtNv7W9p0XCinnoisbCg
P5wPw4SC3EIx2p4keNY801GwEusuZCPBPOcuc2sh5pcbhSmuXZK/KHLc1U9qU9mJ
QgqXbCDVg88TTA5gjn6+RTp2W9J7SGXEv685jtBl0EyTLmgyehOttIjUxB5kgyS1
Kcmw3JSvoziEn8n00N1m4VfAFfLLYVlzdv7L92HOPUAeky0cBKZVTgo0kJ9c/r6R
+z43QEIoqBzG8777rFQP
=hZGt
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]