linux kernel kvm integer overflow kvm_dev_ioctl_get_supported_cpuid()

Risk: High
Local: Yes
Remote: No
CWE: CWE-189

CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Quote from the upstream commit: "The number of entries is multiplied by the entry size, which can overflow on 32-bit hosts. Bound the entry count instead." if (cpuid->nent < 1) goto out; + if (cpuid->nent > KVM_MAX_CPUID_ENTRIES) + cpuid->nent = KVM_MAX_CPUID_ENTRIES; r = -ENOMEM; cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent); if (!cpuid_entries) This one can be triggered if /dev/kvm is user accessible (which is recommended...). This was introduced in v2.6.25-rc1, and fixed in v2.6.32-rc4. Only on 32-bit host. References:


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top