Headline
CVE-2019-6974: kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) · torvalds/linux@cfa3938
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.
Permalink
Browse files
Browse the repository at this point in the history
kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
kvm_ioctl_create_device() does the following:
- creates a device that holds a reference to the VM object (with a borrowed reference, the VM’s refcount has not been bumped yet)
- initializes the device
- transfers the reference to the device to the caller’s file descriptor table
- calls kvm_get_kvm() to turn the borrowed reference to the VM into a real reference
The ownership transfer in step 3 must not happen before the reference to the VM becomes a proper, non-borrowed reference, which only happens in step 4. After step 3, an attacker can close the file descriptor and drop the borrowed reference, which can cause the refcount of the kvm object to drop to zero.
This means that we need to grab a reference for the device before anon_inode_getfd(), otherwise the VM can disappear from under us.
Fixes: 852b6d5 (“kvm: add device control API”) Cc: [email protected] Signed-off-by: Jann Horn [email protected] Signed-off-by: Paolo Bonzini [email protected]
- Loading branch information
Related news
The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.
A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.