| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025012746-rebel-clanking-3f0e@gregkh> Date: Mon, 27 Jan 2025 13:51:54 +0100 From: Greg KH <gregkh@...uxfoundation.org> To: Zicheng Qu <quzicheng@...wei.com> Cc: linux-cve-announce@...r.kernel.org, tanghui20@...wei.com, zhangqiao22@...wei.com, judy.chenhui@...wei.com Subject: Re: CVE-2021-47341: KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio On Mon, Jan 27, 2025 at 09:00:28AM +0000, Zicheng Qu wrote: > Hi, > > I am submitting a request to cancel the CVE-2021-47341 > (https://lore.kernel.org/all/2024052137-CVE-2021-47341-f4e9@gregkh/). > After reviewing the relevant code, I have identified that the described > use-after-free (UAF) issue does not exist. Below is a detailed analysis: > > Issue Description: > The CVE claims that `kvm_vm_ioctl_unregister_coalesced_mmio()` can lead to > a UAF when `kvm_io_bus_unregister_dev()` returns `-ENOMEM`, supposedly > freeing `struct kvm_coalesced_mmio_dev *dev`. A second call to > `kvm_iodevice_destructor()` would then access freed memory. The CVE also claims that you can trigger a BUG: callback, due to a KASAN use-after-free warning which will reboot or crash your machine, right? So because of that, this was issued a CVE. If that use-after-free is not correct, why is KASAN triggered by it? Is that a bug in KASAN in producing a false-positive? And what about systems that run with KASAN enabled, will the BUG trigger not hit them as well? thanks, greg k-h
Powered by blists - more mailing lists