Bug 1214022 (CVE-2023-4155)

Summary:	VUL-0: CVE-2023-4155: kernel: KVM SEV-ES / SEV-SNP VMGEXIT double fetch vulnerability
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Robert Frohl <rfrohl>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	mhocko, pmladek, roy.hopkins, security-team, tiwai, vasant.karasulli
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/374365/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-4155:6.5:(AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Robert Frohl 2023-08-07 08:08:44 UTC

CVE-2023-4155

A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can theoretically trigger a stack overflow and cause a denial-of-service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4155
https://bugzilla.redhat.com/show_bug.cgi?id=2213802

Comment 2 Robert Frohl 2023-08-07 08:29:27 UTC

https://patchew.org/linux/20230804173355.51753-1-pbonzini@redhat.com/
https://patchew.org/linux/20230804173355.51753-1-pbonzini@redhat.com/20230804173355.51753-3-pbonzini@redhat.com/

Comment 3 Robert Frohl 2023-08-07 08:41:21 UTC

CONFIG_VMAP_STACK enabled since SLE12-SP4 (x86_64), since SLE15-SP2 for all archs

Comment 5 Petr Mladek 2023-09-18 10:14:04 UTC

Gently ping. We are almost in the middle of SLA.

Comment 7 Roy Hopkins 2023-09-19 10:26:08 UTC

Patch series can be found at
https://lore.kernel.org/lkml/20230804173355.51753-2-pbonzini@redhat.com/T/#md9b752b8c3522b78e7effa4ed7822ab35619d518.
Although the CVE impact is mitigated by CONFIG_VMAP_STACK being enabled, it certainly makes sense to port these patches to affected kernels to prevent the denial of service.

Patches are already present in SLE15-SP6, ALP-current & main. 
Backport to SLE15-SP4 is currently in progress.

Comment 8 Roy Hopkins 2023-09-19 14:42:23 UTC

Backport to SLE15-SP4 has been submitted.

Comment 16 Takashi Iwai 2023-10-11 07:19:39 UTC

The patch seems missing in SLE15-SP6 branch.
Roy, could you backport it there, too?

Note that the branch was created after the comment 4 time point.

Comment 17 Roy Hopkins 2023-10-12 09:46:31 UTC

Two of the three patches from the series are already present in SLE15-SP6:

	patches.suse/KVM-SEV-snapshot-the-GHCB-before-accessing-it.patch
	patches.suse/KVM-SEV-only-access-GHCB-fields-once.patch

The other patch only includes a code tidy-up and no functional changes. I have a backport ready for the patch but don't see it as required to address this bug as the two present patches perform the actual fix so haven't actually pushed it yet. Do you want me to push it?

Comment 18 Maintenance Automation 2023-10-12 12:46:28 UTC

SUSE-SU-2023:4058-1: An update that solves 18 vulnerabilities, contains three features and has 71 security fixes can now be installed.

Category: security (important)
Bug References: 1065729, 1152472, 1187236, 1201284, 1202845, 1206453, 1208995, 1210169, 1210643, 1210658, 1212639, 1212703, 1213123, 1213534, 1213808, 1214022, 1214037, 1214040, 1214233, 1214351, 1214479, 1214543, 1214635, 1214813, 1214873, 1214928, 1214940, 1214941, 1214942, 1214943, 1214944, 1214945, 1214946, 1214947, 1214948, 1214949, 1214950, 1214951, 1214952, 1214953, 1214954, 1214955, 1214957, 1214958, 1214959, 1214961, 1214962, 1214963, 1214964, 1214965, 1214966, 1214967, 1214986, 1214988, 1214990, 1214991, 1214992, 1214993, 1214995, 1214997, 1214998, 1215115, 1215117, 1215123, 1215124, 1215148, 1215150, 1215221, 1215275, 1215322, 1215467, 1215523, 1215581, 1215752, 1215858, 1215860, 1215861, 1215875, 1215877, 1215894, 1215895, 1215896, 1215899, 1215911, 1215915, 1215916, 1215941, 1215956, 1215957
CVE References: CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-37453, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-40283, CVE-2023-4155, CVE-2023-42753, CVE-2023-42754, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921, CVE-2023-5345
Jira References: PED-1549, PED-2023, PED-2025
Sources used:
openSUSE Leap 15.5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1
Public Cloud Module 15-SP5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Takashi Iwai 2023-10-13 07:32:10 UTC

If they are in SP5, better to be applied to SP6 at the same time, too.

Comment 21 Roy Hopkins 2023-10-16 07:44:11 UTC

Final patch in the series has now been merged to SLE15-SP6 branch and tagged with BSC/CVE.

Comment 29 Robert Frohl 2024-05-23 07:53:29 UTC

done, closing