| Message ID | 20230427132744.555509-1-cengiz.can@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-30456 | expand |
On Thu, 2023-04-27 at 16:27 +0300, Cengiz Can wrote: > [Impact] > An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux > kernel before > 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. > > From the Ubuntu Security Team: > > Reima Ishii discovered that the nested KVM implementation for Intel > x86 > processors in the Linux kernel did not properly validate control > registers in > certain situations. An attacker in a guest VM could use this to cause > a denial > of service (guest crash). > > [Fix] > OEM-6.1 already has the fix. > Cherry picked from upstream to Jammy, OEM-5.17, Kinetic and OEM-6.0. > Cherry picked from linux-5.4.y to Focal. > Cherry picked from linux-4.19.y to Bionic. > Backported the fix from Bionic to Xenial with some modifications. > > v2: Fix wrong CVE number in commit bodies. > > [Test case] > This was super cumbersome to test. I had to spin up more than a dozen > bare metal > instances in AWS in order to test L0->L1->L2 KVM virtualization. > > I did perform basic nested KVM smoke tests using following > combinations: > > Host | Level 1 | Level 2 > ------------------------------- > OEM-6.0 | OEM-6.0 | OEM-6.0 > OEM-5.17 | OEM-5.17 | OEM-5.17 > 4.15 | 4.15 | 4.15 > > 5.15 and 5.19 were only boot tested. > > Following kernels were tested with kvm-unit-tests suite, with & > without the fix: > > 4.4, 4.15, 5.4. > > Test results remained same with the fix. (On Bionic, some tests even > improved > with the fix applied). > > [Potential regression] > Medium. Xenial backport modifies a block that was untouched since > 2013 and needs > to be reviewed very carefully. > > Paolo Bonzini (1): > KVM: nVMX: add missing consistency checks for CR0 and CR4 > > arch/x86/kvm/vmx/nested.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > -- > 2.37.2 > >
On 4/27/23 7:27 AM, Cengiz Can wrote: > [Impact] > An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before > 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. > > From the Ubuntu Security Team: > > Reima Ishii discovered that the nested KVM implementation for Intel x86 > processors in the Linux kernel did not properly validate control registers in > certain situations. An attacker in a guest VM could use this to cause a denial > of service (guest crash). > > [Fix] > OEM-6.1 already has the fix. > Cherry picked from upstream to Jammy, OEM-5.17, Kinetic and OEM-6.0. > Cherry picked from linux-5.4.y to Focal. > Cherry picked from linux-4.19.y to Bionic. > Backported the fix from Bionic to Xenial with some modifications. > > v2: Fix wrong CVE number in commit bodies. > > [Test case] > This was super cumbersome to test. I had to spin up more than a dozen bare metal > instances in AWS in order to test L0->L1->L2 KVM virtualization. > > I did perform basic nested KVM smoke tests using following combinations: > > Host | Level 1 | Level 2 > ------------------------------- > OEM-6.0 | OEM-6.0 | OEM-6.0 > OEM-5.17 | OEM-5.17 | OEM-5.17 > 4.15 | 4.15 | 4.15 > > 5.15 and 5.19 were only boot tested. > > Following kernels were tested with kvm-unit-tests suite, with & without the fix: > > 4.4, 4.15, 5.4. > > Test results remained same with the fix. (On Bionic, some tests even improved > with the fix applied). > > [Potential regression] > Medium. Xenial backport modifies a block that was untouched since 2013 and needs > to be reviewed very carefully. > > Paolo Bonzini (1): > KVM: nVMX: add missing consistency checks for CR0 and CR4 > > arch/x86/kvm/vmx/nested.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 23/04/27 04:27PM, Cengiz Can wrote: > [Impact] > An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before > 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. > > From the Ubuntu Security Team: > > Reima Ishii discovered that the nested KVM implementation for Intel x86 > processors in the Linux kernel did not properly validate control registers in > certain situations. An attacker in a guest VM could use this to cause a denial > of service (guest crash). > > [Fix] > OEM-6.1 already has the fix. > Cherry picked from upstream to Jammy, OEM-5.17, Kinetic and OEM-6.0. > Cherry picked from linux-5.4.y to Focal. > Cherry picked from linux-4.19.y to Bionic. > Backported the fix from Bionic to Xenial with some modifications. > > v2: Fix wrong CVE number in commit bodies. > > [Test case] > This was super cumbersome to test. I had to spin up more than a dozen bare metal > instances in AWS in order to test L0->L1->L2 KVM virtualization. > > I did perform basic nested KVM smoke tests using following combinations: > > Host | Level 1 | Level 2 > ------------------------------- > OEM-6.0 | OEM-6.0 | OEM-6.0 > OEM-5.17 | OEM-5.17 | OEM-5.17 > 4.15 | 4.15 | 4.15 > > 5.15 and 5.19 were only boot tested. > > Following kernels were tested with kvm-unit-tests suite, with & without the fix: > > 4.4, 4.15, 5.4. > > Test results remained same with the fix. (On Bionic, some tests even improved > with the fix applied). > > [Potential regression] > Medium. Xenial backport modifies a block that was untouched since 2013 and needs > to be reviewed very carefully. > > Paolo Bonzini (1): > KVM: nVMX: add missing consistency checks for CR0 and CR4 > > arch/x86/kvm/vmx/nested.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > -- > 2.37.2 Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
On 27.04.23 15:27, Cengiz Can wrote: > [Impact] > An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before > 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. > > From the Ubuntu Security Team: > > Reima Ishii discovered that the nested KVM implementation for Intel x86 > processors in the Linux kernel did not properly validate control registers in > certain situations. An attacker in a guest VM could use this to cause a denial > of service (guest crash). > > [Fix] > OEM-6.1 already has the fix. > Cherry picked from upstream to Jammy, OEM-5.17, Kinetic and OEM-6.0. > Cherry picked from linux-5.4.y to Focal. > Cherry picked from linux-4.19.y to Bionic. > Backported the fix from Bionic to Xenial with some modifications. > > v2: Fix wrong CVE number in commit bodies. > > [Test case] > This was super cumbersome to test. I had to spin up more than a dozen bare metal > instances in AWS in order to test L0->L1->L2 KVM virtualization. > > I did perform basic nested KVM smoke tests using following combinations: > > Host | Level 1 | Level 2 > ------------------------------- > OEM-6.0 | OEM-6.0 | OEM-6.0 > OEM-5.17 | OEM-5.17 | OEM-5.17 > 4.15 | 4.15 | 4.15 > > 5.15 and 5.19 were only boot tested. > > Following kernels were tested with kvm-unit-tests suite, with & without the fix: > > 4.4, 4.15, 5.4. > > Test results remained same with the fix. (On Bionic, some tests even improved > with the fix applied). > > [Potential regression] > Medium. Xenial backport modifies a block that was untouched since 2013 and needs > to be reviewed very carefully. > > Paolo Bonzini (1): > KVM: nVMX: add missing consistency checks for CR0 and CR4 > > arch/x86/kvm/vmx/nested.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > Applied to kinetic,jammy,focal,bionic:linux/master-next. Thanks. -Stefan
Cengiz Can kirjoitti 27.4.2023 klo 16.27: > [Impact] > An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before > 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4. > > From the Ubuntu Security Team: > > Reima Ishii discovered that the nested KVM implementation for Intel x86 > processors in the Linux kernel did not properly validate control registers in > certain situations. An attacker in a guest VM could use this to cause a denial > of service (guest crash). > > [Fix] > OEM-6.1 already has the fix. > Cherry picked from upstream to Jammy, OEM-5.17, Kinetic and OEM-6.0. > Cherry picked from linux-5.4.y to Focal. > Cherry picked from linux-4.19.y to Bionic. > Backported the fix from Bionic to Xenial with some modifications. > > v2: Fix wrong CVE number in commit bodies. > > [Test case] > This was super cumbersome to test. I had to spin up more than a dozen bare metal > instances in AWS in order to test L0->L1->L2 KVM virtualization. > > I did perform basic nested KVM smoke tests using following combinations: > > Host | Level 1 | Level 2 > ------------------------------- > OEM-6.0 | OEM-6.0 | OEM-6.0 > OEM-5.17 | OEM-5.17 | OEM-5.17 > 4.15 | 4.15 | 4.15 > > 5.15 and 5.19 were only boot tested. > > Following kernels were tested with kvm-unit-tests suite, with & without the fix: > > 4.4, 4.15, 5.4. > > Test results remained same with the fix. (On Bionic, some tests even improved > with the fix applied). > > [Potential regression] > Medium. Xenial backport modifies a block that was untouched since 2013 and needs > to be reviewed very carefully. > > Paolo Bonzini (1): > KVM: nVMX: add missing consistency checks for CR0 and CR4 > > arch/x86/kvm/vmx/nested.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > applied to oem-5.17, oem-6.0, thanks