Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-6974: kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) · torvalds/linux@cfa3938

In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.

CVE
#google#linux#sap

Permalink

Browse files

Browse the repository at this point in the history

kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)

kvm_ioctl_create_device() does the following:

  1. creates a device that holds a reference to the VM object (with a borrowed reference, the VM’s refcount has not been bumped yet)
  2. initializes the device
  3. transfers the reference to the device to the caller’s file descriptor table
  4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real reference

The ownership transfer in step 3 must not happen before the reference to the VM becomes a proper, non-borrowed reference, which only happens in step 4. After step 3, an attacker can close the file descriptor and drop the borrowed reference, which can cause the refcount of the kvm object to drop to zero.

This means that we need to grab a reference for the device before anon_inode_getfd(), otherwise the VM can disappear from under us.

Fixes: 852b6d5 (“kvm: add device control API”) Cc: [email protected] Signed-off-by: Jann Horn [email protected] Signed-off-by: Paolo Bonzini [email protected]

  • Loading branch information

Related news

CVE-2019-7222: [SECURITY] Fedora 28 Update: kernel-4.20.8-100.fc28 - package-announce

The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.

CVE-2019-0542: Red Hat Customer Portal - Access to 24x7 support and knowledge

A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907