[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2019-3016: information leak within a KVM guest
From:       John Haxby <john.haxby () oracle ! com>
Date:       2020-01-30 18:00:03
Message-ID: 7151FEEF-4905-4333-8F4A-8B46AEC36E07 () oracle ! com
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


The problem is missing TLB flushes which potentially allows a process in a KVM guest to access \
memory locations within that guest that it should not have access to.

The problem is limited to host kernels 4.10 onwards with guest kernels running 4.16 onwards and \
PV TLB exposed to the guests.  Additionally, the problem mainly affects AMD processors but we \
cannot rule out Intel CPUs.

From the patch cover note:

> The KVM hypervisor may provide a guest with ability to defer remote TLB
> flush when the remote VCPU is not running. When this feature is used,
> the TLB flush will happen only when the remote VPCU is scheduled to run
> again. This will avoid unnecessary (and expensive) IPIs.
> 
> Under certain circumstances, when a guest initiates such deferred action,
> the hypervisor may miss the request. It is also possible that the guest
> may mistakenly assume that it has already marked remote VCPU as needing a
> flush when in fact that request had already been processed by the hypervisor.
> In both cases this will result in an invalid translation being present in a
> vCPU, potentially allowing accesses to memory locations in that guest's
> address space that should not be accessible.
> 
> Note that only intra-guest memory is vulnerable.
> 
> The attached patches address both of these problems:
> 1. The first patch makes sure the hypervisor doesn't accidentally clear
> guest's remote flush request
> 2. The rest of the patches prevent the race between hypervisor
> acknowledging a remote flush request and guest issuing a new one.


Part of the attached patches were discovered independently[1] and made public on 2019-01-16 \
although it was our considered opinion that the security implications of this were not at all \
obvious so we kept the embargo.

The original patches posted to linux-distros broke ARM so I'm attaching the v2 patches.  These \
will be heading to the mainline kernel shortly.

jch


[1] https://lore.kernel.org/kvm/20200116001635.174948-1-jmattson@google.com


["CVE-2019-3016.v2.tgz" (CVE-2019-3016.v2.tgz)]

��� ^�<ks۶��j�
���V�D��D=�&'qZ�ĉ'N�{�;��,��CRv�&���.��HI��4�kL"Y$��}a��=VM��]��kW���/:��� \
oc`���<0�}C7,��C=ðz�f}����e�8c \
8������oZ�W��T?����\=	�(��.�_��Թ��/&��pw�e���~�i������� �F�00���\�����2 \
��u�|4�O�^����k�9� ��9��c�莇ݑg8�4�9_0c�t���1VSA0��Y�1{�
�����ha��i9�kn8��p~��-y�&{^1�Cf��֡�gm�
�|9����!����w�fW&3Z�ˀBM��D�hk�Km�+
> �r��9<�~c�:1��������(�A ϋx�x�\SN��(q|�vbhx�ٵ���͝K��e��_A���� \
> .���ۣS�	<6	#�L�k�N��q�X�Ǘs8
t�L
���4Ey�?�w��p �XQ����{j8���Cv愳&��|��b,�zq:+Qir�U|˯|~
���/��S����w��͵��]j����tgK�?����.�=�>�)�Ș��m�]�Q�/���@s���A�����d�N���{f����� \
����0�y|��o���'��>�����_�by���C״����x0�X�������U`��`?}�T���!k㗡3x�B�4d'�=�rl�q�܆5NZ�bK�*���0� \
Z�\LݎB���eGVŧN�}��j�������h � \
����K-l�p�ɥ(�V�>\;��MCX-}�p.8!�<Cx���B����̲i06��`���I��MtK�l���,�V�*�V3��^Da�Ţ���#?q�3�B'w<�b�aB[�BG����$@?
 x`̓N�Ա�q�S��A��͑����:fy�׵[��
�zch��m�G7~��)O��|%�Ia��u���;��ߧ�޼�:{�*�F�**hD��>l�a���<�n�x"�?�hU�[����h������-��? \
�F�d��'ȉ=f�߿z��Jx����_����_�����ώ~:����nn��N�U���������	k}'F���dL=>y��D,�l���h�;�.��fi_�#Zߝ�:��' \
FvP`q[Q}��;�d����*� `�[��mF��6���wҕ̀W�
Ji�����8E��v!
`�{��v���~�D(Q��l^�{[�� \
k�>����3@rZ� �v2_�O{���-�^
��%q4�^�5���Iv{{�: \
2&Z)"�ՙ���V�
��,d�O��@����:�NP�.P4t���Q�cw��=�� \
E߂�g�?w�4�Q%��-G���d����2���G����w�R�Of=#i��z�@��(فz	�Sm�u5CQ���u���@J��`�h��/���g�헯ޟ�l�{�L�̜ՏU�z�9��.����%��������k������
 ����yz_7{��������tݮٵt�K��K��_pW���a�:���^��
�<d��f�BR(�J�B$s(],1s�"Lx��Ό���� \
"g�	wfv��yk��yr�y��0H�#��B��.4|̉ܩ6:����E�N�?x���q����}6г��ǧg�_�3�� \
���>���ʙ-9BI�D'��]�ɔ�Zhqi� ��5�L5�1B���+�a\�0wn�8�g3�O
i�X>�p��
����ĂR�j����9���͂GW~F0f������i�����6��)tƮ���DS��6���b�P���x.g2��`�S�7�.���9A��
 ?�	8��c��
"�f�s{O��r�!5=��M�c�#��FwW��U-
3�	����z�f�`5��<L
����CM�Þ�MʆoM3a�ּ@�ȴ�F�g���cP���r~2[�S;����"It?��䃩�f��A�C[����H�m����bHH� \
N���r��8�qd�����O���ǯ����PR��b \
��`�_��MK蘙�C�r�}�A�FEy����'���C��=<��解�׸u�Ȁ�
��v.l�	�����;�XYSc
N�hS�U��ɓ'Mt��瓗�q�=�U�)��;l�^E.
 (��LC���P���~Ҩ�-����W6��'/�g'�΅�
��v�^�ȱ&$�"C	��#������:�I�P� ɉ��Â�����I��Ç� H"�sq��-�\�����h)�� \
�k�"�_�wzѪ#�@����@� �l�]��` \
lV����-�D,q���ţ8@7�����i?f�#ƀ�'~�B���k����ep)Hw=��:�؟� �4V���v� |)� \
�]e�d���}=����A��D���Ob,��I�EK0��̹a��c�ꬺ�30A��I���m���A��2��U�*	y�-g����o��[���5r \
fЕ��&/VD�>����>i`��ji�ݎi�|.8�tf��5�����������f��[�&X#�̆��l��ţ;	|A,B�7i&�0�_D޷+ \
���u�P����v7d6�`�vg��k,�˽��i��-]��ˆ��Y��֥��gd�_ϸ�:�,g��KB��u������t���_C��_����;��#��v�Q���d�Z��|���ao��&�c}
��o�+�������a�hv���ghd�R�U
 G[�U�������F)���1t�h��lv� 1l��f3���0"X֟���/؎M�p>�� xy�����:2������ay~� \
�A����?g�N��a ���\���"/$���-V�Y5w�N�(w22FWӆ��wsF���Ó:�չ�n���Myko���������� \
܋�o���+;�{����r�ҙG�ɨ��� �e�7��o���a�����y/��F!��3,�� ���p2�
��p Oz=o�rG�L�;qFݞ����e�wX??�3��n��Xs�g����B�r��B���向�Q����K
�i�vŬ�`�����#�d�5W<<�b
>y� \

Nv@��?�#R���
�ؙ�Q#�>���qQ_>��N��xd'�Wb�A�7��R��:���V"�{�C)C��P�al�M5����t�>״�ȴ�޸AEh \
R�j���R�v�G����P��T-��Y�^�!n������K�����0�.)Zi��1�Kd���P5��Z	'�,֨�̕Z�@QN�>E@ \
���8y��i���&�v���m����m��4�8a�C�@����ه���p���L���왅�Q,>.:��������}zt�/����I�v�Z��
��7
 �Jǹ�/���t��僫9�Hu����$��B�e�_�#$Z�=j������|�V�=V+5����=�Q�D��3DU<�쮞d��.<ɛ����uwq��v�Rg��*y�TP���om�`�u-xW��mY����_�����}�Xq`��x�WZC��V�
��
x��1ZpY�
 �)�y]1�ݹ�����+Q2g��0B0	�Ԙ���y�p��(��)<�M��E7s�����	w�����iDQ�S�;9��Ѩ��?{N�)�`9�Џ�\�U0F�"A��!#���D7����Y$Ѿ%Rރ�����]΁�h���(Aeɧ���L \
��m01� V1�V������'�|Ջ�g<�� �I�Ȇ�s�ňQ�
���ƈ6��D��+�ޢ
�1�+��m`�h���cL,P
���F���lU�;�I�����N�F�t�x� \
f�1G*a��q�Ǯ`��<��9���$V�E�o��+nz�Ҁ��Mt�J� \
"����h��ő�JD]x��Qeȯ�	#����G�h���Ir���<NQ1G�A�y|� ` Ft
> 1�2�B��d�<EI')�W��\;��D8x1�l|�i�h��xI���nǽ \
> k�A"0�����D(*�����r������9u�C'�]��B��dH�c����ѱ�ǿ���춮�m<A���[y�X��~!X���}ޞY�`�f \
> �gU�&���I"P�Ou7DW�U`�a���z����Ք���nv�OT�����r*�^/\��������?���_���gNW�F�q_7ƣI�����G�1��]w�E��׸�cv�Ck���t���O*嫻�?�sz�Z�Y�����U* \
> ��Q�iT�د&�i��:	� �
�L�����R^�
E9O�o��|ce'R \
O�l!��\-�[�;��@�x+a0`���˂�p�(�%֪,л+l̯q�1�`�:��j|����A��`�Q�ʑ�ʁ�ʑ�p�оő���ؕ�
 ��r!CH4M�p��!�H'�y��WbI&��{�ɚ��I��]WJ3c\�����m��_���+���+�>_�k=�"^��|�E���{�ɿ�/�k?�I��/4�����}�N \
����|zA�p��Kx���!��emV�ո�4Ń�\�1o ��V��% �g� ˷�R��h�I��D
`2Va������s?d��hIO�+�����6��������]"��|i��!8;^��ߢ��$IJ=<`/��E��p��?D� q
�R C�ԓ0�q(4��/��D�!e��w/�e-������������_:Q��U�.��K��;��Su�]���E|�nr��|ۮQ>�����e�
�� \
N��w��d��UWkR&�j�^1#B5�X�!S25gc�f&j�Ä~�{ƃ�+Y�R�yb��,�*�A�*ݧQ�6����4j;LT�Y���+�b��o9����$n;H���e�~�MT�}�G�V���J�,�� \
2���G���aϝlTi�&I��Y�D�&T(�y:���� �[�S�a?�] !<Q��s
?{ P�
��H����!�j�k[���v�
O�3�tZ�Rx�A���@Q7���T�P)˖/��TH&��ˉS���&Oa��m���ݿώ��m� \
;e��au|��w�1�Ȍ��gܵ!�.aH�F?f��?|�V���M��+~\�=���tjJ嵐��0�W]-��K֢�Y���3ԋ�  �
	lfm~no_!&J��SDӡ.J��[��R�Z�nn�<��Jdm��1%��>%d{��N�u~E����}��ff�U�Ɍ�A��q�<�}����;L�� \
��|�X�i�DxHH\%��$(����H?'�!O�^��J�(�:�\��>�G�HV���k��\����$q��6�"0~�+�(�I4���|�&[\T3I5�o�H_�%�����L&��Zyݔ��@b��'���o^�<������>ysz|
 �P'�$2���a����P)���#c�N������c��o"1HqeVP��yDL�	T)oj�醼��D������q�RgC&ԍ�[?�i'g��
И \
�0��Ⱦ~&�59\?7�+��B9���`ٝ���[gm]�ߵ�v��l2�6'�t��yd:�^��}�y�}Q���H�<��w5B�"�/����D����RE@K�p6�2#����:n,���a�3 \
�/�-�췣���7�������O6]�6t� \
��&,1�%�-���v�t�-��DOM��d��ާf�@h�g�\���A줔�YLl�Q��ڃ���w��^����� \
�(V�s�R�s��{��qTuRm�+��pH��$��Ey�o6`�ܗ�r_��}�/��ܗ�����0�A�x


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iHUEAREIAB0WIQT+pxvb11CFWUkNSOVFC7t+lC+jyAUCXjMZowAKCRBFC7t+lC+j
yAYnAP9xWzZsYEh4zKYLd7yEyUbBQug9NxWhOJXq7uz1Ag8XZAD/fIpQie2WZN5B
fiCNpHvoLH9OuvBWFtQIRKm7p40JFic=
=nfv9
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]