Vigil@nce - Linux kernel: denial of service via KVM PUSHA
March 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is located in a guest KVM system, can use PUSHA,
in order to trigger a denial of service of the Linux kernel.
Impacted products: Fedora, Linux
Severity: 1/4
Creation date: 03/03/2014
DESCRIPTION OF THE VULNERABILITY
The MMIO (Memory Mapped I/O) feature uses the same bus to access
to the memory and to input/output devices. The
complete_emulated_mmio() function of the arch/x86/kvm/x86.c file
emulates MMIO for KVM.
The PUSHA assembler instruction stores general registers (EAX,
etc.) in the stack. However, if the stack address is a MMIO
address, the complete_emulated_mmio() function loops until it
reaches an invalid memory address.
An attacker, who is located in a guest KVM system, can therefore
use PUSHA, in order to trigger a denial of service of the Linux
kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-KVM-PUSHA-14348