ghsa-r2r3-fm28-9g3h
Vulnerability from github
Published
2024-05-21 15:31
Modified
2024-12-30 21:30
Severity ?
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()

KASAN reports the following issue:

BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm] Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798

CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G X --------- --- Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020 Call Trace: dump_stack+0xa5/0xe6 print_address_description.constprop.0+0x18/0x130 ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm] __kasan_report.cold+0x7f/0x114 ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm] kasan_report+0x38/0x50 kasan_check_range+0xf5/0x1d0 kvm_make_vcpus_request_mask+0x174/0x440 [kvm] kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm] ? kvm_arch_exit+0x110/0x110 [kvm] ? sched_clock+0x5/0x10 ioapic_write_indirect+0x59f/0x9e0 [kvm] ? static_obj+0xc0/0xc0 ? __lock_acquired+0x1d2/0x8c0 ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm]

The problem appears to be that 'vcpu_bitmap' is allocated as a single long on stack and it should really be KVM_MAX_VCPUS long. We also seem to clear the lower 16 bits of it with bitmap_zero() for no particular reason (my guess would be that 'bitmap' and 'vcpu_bitmap' variables in kvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed 16-bit long, the later should accommodate all possible vCPUs).

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:24Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()\n\nKASAN reports the following issue:\n\n BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798\n\n CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G               X --------- ---\n Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020\n Call Trace:\n  dump_stack+0xa5/0xe6\n  print_address_description.constprop.0+0x18/0x130\n  ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n  __kasan_report.cold+0x7f/0x114\n  ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n  kasan_report+0x38/0x50\n  kasan_check_range+0xf5/0x1d0\n  kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n  kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm]\n  ? kvm_arch_exit+0x110/0x110 [kvm]\n  ? sched_clock+0x5/0x10\n  ioapic_write_indirect+0x59f/0x9e0 [kvm]\n  ? static_obj+0xc0/0xc0\n  ? __lock_acquired+0x1d2/0x8c0\n  ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm]\n\nThe problem appears to be that \u0027vcpu_bitmap\u0027 is allocated as a single long\non stack and it should really be KVM_MAX_VCPUS long. We also seem to clear\nthe lower 16 bits of it with bitmap_zero() for no particular reason (my\nguess would be that \u0027bitmap\u0027 and \u0027vcpu_bitmap\u0027 variables in\nkvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed\n16-bit long, the later should accommodate all possible vCPUs).",
  "id": "GHSA-r2r3-fm28-9g3h",
  "modified": "2024-12-30T21:30:46Z",
  "published": "2024-05-21T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47390"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.