CVE-2014-0049

Vulnerability

A buffer overflow exists in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before version 3.13.6. The issue occurs when a guest performs a pusha instruction with a stack address that initially points to an MMIO address (or invalid guest physical address) but later extends into an ordinary guest physical address. During emulated pushes, emulator_read_write sets mmio_needed to 1 on the first access. On a subsequent push when the stack points to regular memory, mmio_nr_fragments is set to 0, but mmio_is_needed is not cleared. This leaves KVM in a state where it repeatedly exits to userspace, incrementing vcpu->mmio_cur_fragment past its buffer bounds [1][2][3].

Exploitation

An attacker needs guest-level access to the KVM virtual machine. The guest must execute carefully timed code on one vCPU to trigger the malformed MMIO sequence (e.g., a pusha with a valid MMIO start then switching to regular memory). At the same time, another vCPU must destroy the VM with precise timing, causing kvm_clear_async_pf_completion_queue to access corrupted cancel_work_item data controlled by the guest. This race condition allows the guest to hijack control flow on the host [1][3].

Impact

Successful exploitation enables a guest user to execute arbitrary code on the host operating system, escaping the VM and achieving full host compromise. The attack targets the cancel_work_item function pointer, leading to code execution with kernel privileges [1][2][3].

Mitigation

The vulnerability is fixed in Linux kernel version 3.13.6 and later, via commit a08d3b3b99efd509133946056531cdf8f3a0c09b [3]. Users should update to a patched kernel. Red Hat Enterprise Linux 5 was not affected, and Red Hat Enterprise Linux 6 was not affected as they did not backport the vulnerable commit [1]. No workaround is available; patching is required.