CVE-2016-9777 - Out-of-bounds Read

Severity

69%

Complexity

34%

Confidentiality

165%

KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h.

KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h.

CVSS 3.0 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVSS 2.0 Base Score 6.9. CVSS Attack Vector: local. CVSS Attack Complexity: medium. CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C).

Demo Examples

Out-of-bounds Read

CWE-125

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method


               
}

                     
return value;// check that the array index is less than the maximum// length of the array

                           
value = array[index];// get the value at the specified index of the array
// if array index is invalid then output error message// and return value indicating error
value = -1;

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.


               
...// check that the array index is within the correct// range of values for the array

Overview

First reported 8 years ago

2016-12-28 07:59:00

Last updated 8 years ago

2016-12-31 02:59:00

Affected Software

Linux Kernel

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=81cdb259fb6d8c1c4ecfeea389ff5a73c07f5755

Patch, Vendor Advisory

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.12

Release Notes

[oss-security] 20161202 CVE request: Kernel: kvm: out of bounds memory access via vcpu_id

Mailing List, Patch

94640

https://bugzilla.redhat.com/show_bug.cgi?id=1400804

Issue Tracking

https://github.com/torvalds/linux/commit/81cdb259fb6d8c1c4ecfeea389ff5a73c07f5755

Patch, Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.