Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAA8xKjVxPtO+VpLsn1Ta+2Tv9YB2Q_fg2BOcC7=z6BzR7Qm8OQ@mail.gmail.com>
Date: Mon, 16 Aug 2021 16:13:56 +0200
From: Mauro Matteo Cascella <mcascell@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Maxim Levitsky <mlevitsk@...hat.com>, Paolo Bonzini <pbonzini@...hat.com>
Subject: [CVE-2021-3653, CVE-2021-3656] SVM nested
 virtualization issues in KVM

Hello,

Two vulnerabilities were found in the KVM's AMD code for supporting
SVM nested virtualization. They occur due to missing sanity checks of
some VMCB (virtual machine control block) fields provided by the L1
guest to handle a nested L2 guest.

----------------------
CVE-2021-3653
----------------------
This issue is caused by missing validation of the `int_ctl` VMCB field
and allows a malicious L1 guest to enable AVIC support (Advanced
Virtual Interrupt Controller) for the L2 guest. The L2 guest is able
to write to a limited but still relatively large subset of the host
physical memory. Note that AVIC is currently not supported with
nesting and it is not advertised in the L1 CPUID.

This bug dates back to kernel 2.6.30 where it was first introduced via
commit: https://github.com/torvalds/linux/commit/3d6368ef580a.

CVE-2021-3653 has been assigned by Red Hat, Inc.

----------------------
CVE-2021-3656
----------------------
This issue is caused by missing validation of the the `virt_ext` VMCB
field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE
intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. Under
these circumstances, the L2 guest is able to run VMLOAD/VMSAVE
unintercepted, and thus read/write portions of the host physical
memory.

This bug was introduced in kernel version 4.13 while enabling the
Virtual VMLOAD/VMSAVE feature:
https://github.com/torvalds/linux/commit/89c8a4984fc9.

CVE-2021-3656 has been assigned by Red Hat, Inc.

---------
Impact
---------
The nested guest (L2) could use these flaws to read/write physical
pages of the host, resulting in a crash of the entire system, leak of
sensitive data or potential guest-to-host escape.

-------------
Mitigation
-------------
Both vulnerabilities can be mitigated by disabling the nested
virtualization feature when loading kvm:
# modprobe kvm_amd nested=0

Disabling VLS (Virtual VMLOAD/VMSAVE) is an alternative mitigation for
CVE-2021-3656:
# modprobe kvm_amd vls=0

----------
Credits
----------
CVE-2021-3653: Maxim Levitsky (Red Hat)
CVE-2021-3656: Maxim Levitsky (Red Hat) and Paolo Bonzini (Red Hat)

--------
Patch
--------
CVE-2021-3653: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=0f923e07124df069ba68d8bb12324398f4b6b709
CVE-2021-3656: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc

Thank you,
Best regards.
-- 
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.