Arch Linux Security Advisory ASA-201411-15 ========================================== Severity: Medium Date : 2014-11-17 CVE-ID : CVE-2014-3610, CVE-2014-3611, CVE-2014-3646, CVE-2014-3647, CVE-2014-7825, CVE-2014-7826, CVE-2014-8369 Package : linux-lts Type : local denial of service, privilege escalation Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package linux-lts before version 3.14.24-1 is vulnerable to local denial service and privilege escalation via various issues. Resolution ========== Upgrade to 3.14.24-1. # pacman -Syu "linux-lts>=3.14.24-1" The problem has been fixed upstream in version 3.14.24. Workaround ========== None. Description =========== CVE-2014-3610: The WRMSR processing functionality in the KVM subsystem in the Linux kernel does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c. CVE-2014-3611: Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation. CVE-2014-3646: arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. CVE-2014-3647: arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application. CVE-2014-7825: kernel/trace/trace_syscalls.c in the Linux kernel does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application. CVE-2014-7826: kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application. CVE-2014-8369: The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601. Impact ====== A local OS user may be able to cause a kernel crash in various ways, or escalate privileges. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3610 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3611 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3646 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3647 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7825 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7826 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8369 http://permalink.gmane.org/gmane.comp.security.oss.general/14526