CVE-2021-29657

Related Files

KVM nested_svm_vmrun Double Fetch

Posted Jun 30, 2021

Authored by Google Security Research, Felix Wilhelm

A KVM guest on AMD can launch a L2 guest without the Intercept VMRUN control bit by exploiting a TOCTOU vulnerability in nested_svm_vmrun. Executing vmrun from the L2 guest, will then trigger a second call to nested_svm_vmrun and corrupt svm->nested.hsave with data copied out of the L2 vmcb. For kernel versions that include the commit "2fcf4876: KVM: nSVM: implement on demand allocation of the nested state" (>=5.10), the guest can free the MSR permission bit in svm->nested.msrpm, while it's still in use and gain unrestricted access to host MSRs.

tags | exploit, kernel

advisories | CVE-2021-29657

SHA-256 | d7d8893258c173535d6129f18da5eea5e87415de98e53b981565c55447d30da4

Download | Favorite | View

Ubuntu Security Notice USN-4948-1

Posted May 12, 2021

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 4948-1 - Ryota Shiga discovered that the eBPF implementation in the Linux kernel did not properly verify that a BPF program only reserved as much memory for a ring buffer as was allocated. A local attacker could use this to cause a denial of service or execute arbitrary code. Manfred Paul discovered that the eBPF implementation in the Linux kernel did not properly track bounds on bitwise operations. A local attacker could use this to cause a denial of service or execute arbitrary code. Various other issues were also addressed.

tags | advisory, denial of service, arbitrary, kernel, local

systems | linux, ubuntu

advisories | CVE-2020-25670, CVE-2021-28688, CVE-2021-28951, CVE-2021-28952, CVE-2021-28964, CVE-2021-28971, CVE-2021-28972, CVE-2021-29264, CVE-2021-29266, CVE-2021-29646, CVE-2021-29647, CVE-2021-29649, CVE-2021-29650, CVE-2021-29657, CVE-2021-31916, CVE-2021-3483, CVE-2021-3489, CVE-2021-3490, CVE-2021-3491

SHA-256 | 957eb73e74d19d4c62c7116de0b476cf551491d297e087fb9602eff91b7ee985

Download | Favorite | View