Bugzilla – Bug 1099183
VUL-0: CVE-2018-12904: kernel-source: kvm: privilege escalation in L1 guest
Last modified: 2020-06-10 07:58:39 UTC
found by google p0 https://bugs.chromium.org/p/project-zero/issues/detail?id=1589 KVM (nested virtualization): privilege escalation in L1 guest Project Member Reported by fwilhelm@google.com, Jun 8 Issue description When KVM (on Intel) virtualizes another hypervisor as L1 VM it does not verify that VMX instructions from the L1 VM (which trigger a VM exit and are emulated by L0 KVM) are coming from ring 0. For code running on bare metal or VMX root mode this is enforced by hardware. However, for code running in L1, the instruction always triggers a VM exit even when executed with cpl 3. This behavior is documented by Intel (example is for the VMPTRST instruction): (Intel Manual 30-18 Vol. 3C) IF (register operand) or (not in VMX operation) or (CR0.PE = 0) or (RFLAGS.VM = 1) or (IA32_EFER.LMA = 1 and CS.L = 0) THEN #UD; ELSIF in VMX non-root operation THEN VMexit; ELSIF CPL > 0 THEN #GP(0); ELSE 64-bit in-memory destination operand ← current-VMCS pointer; This means that a normal user space program running in the L1 VM can trigger KVMs VMX emulation which gives a large number of privilege escalation vectors (fake VMCS or vmptrld / vmptrst to a kernel address are the first that come to mind). As VMX emulation code checks for the guests CR4.VMXE value this only works if a L2 guest is running. A somewhat realistic exploit scenario would involve someone breaking out of a L2 guest (for example by exploiting a bug in the L1 qemu process) and then using this bug for privilege escalation on the L1 system. Simple POC (tested on L0 and L1 running Ubuntu 18.04 4.15.0-22-generic). This requires that a L2 guest exists: echo 'main(){asm volatile ("vmptrst 0xffffffffc0031337");}'| gcc -xc - ; ./a.out [ 2537.280319] BUG: unable to handle kernel paging request at ffffffffc0031337 This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public. Project Member Comment 1 by fwilhelm@google.com, Yesterday (26 hours ago) Labels: -Restrict-View-Commit Status: Fixed (was: New) Fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/kvm?id=727ba748e110b4de50d142edca9d6a9b7e6111d8
I will take care of that.
Issue was introduced with commit 70f3aac964ae2bc9a0a1d5d65a62e258591ade18 Author: Jim Mattson <jmattson@google.com> Date: Wed Apr 26 08:53:46 2017 -0700 kvm: nVMX: Remove superfluous VMX instruction fault checks which went into 4.12. Kernels before that are not affected as they already have cpl checks for nested VMX instructions. So only SLE15 is affected on our side and I pushed the fix for my for-next branch.
Fix is merged. Closing.
This is an autogenerated message for OBS integration: This bug (1099183) was mentioned in https://build.opensuse.org/request/show/623531 42.3 / kernel-source https://build.opensuse.org/request/show/623532 15.0 / kernel-source
SUSE-SU-2018:2051-1: An update that solves four vulnerabilities and has 44 fixes is now available. Category: security (important) Bug References: 1012382,1064232,1075876,1076110,1085185,1085657,1089525,1090435,1090888,1091171,1092207,1094244,1094248,1094643,1095453,1096790,1097034,1097140,1097492,1097501,1097551,1097808,1097931,1097961,1098016,1098236,1098425,1098435,1098527,1098599,1099042,1099183,1099279,1099713,1099732,1099792,1099810,1099918,1099924,1099966,1099993,1100089,1100340,1100416,1100418,1100491,1100843,1101296 CVE References: CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-9385 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): kernel-default-4.4.140-94.42.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): kernel-docs-4.4.140-94.42.1, kernel-obs-build-4.4.140-94.42.1 SUSE Linux Enterprise Server 12-SP3 (src): kernel-default-4.4.140-94.42.1, kernel-source-4.4.140-94.42.1, kernel-syms-4.4.140-94.42.1 SUSE Linux Enterprise Live Patching 12-SP3 (src): kgraft-patch-SLE12-SP3_Update_15-1-4.3.1 SUSE Linux Enterprise High Availability 12-SP3 (src): kernel-default-4.4.140-94.42.1 SUSE Linux Enterprise Desktop 12-SP3 (src): kernel-default-4.4.140-94.42.1, kernel-source-4.4.140-94.42.1, kernel-syms-4.4.140-94.42.1 SUSE CaaS Platform ALL (src): kernel-default-4.4.140-94.42.1 SUSE CaaS Platform 3.0 (src): kernel-default-4.4.140-94.42.1
openSUSE-SU-2018:2118-1: An update that solves four vulnerabilities and has 44 fixes is now available. Category: security (important) Bug References: 1012382,1064232,1075876,1076110,1085185,1085657,1089525,1090435,1090888,1091171,1092207,1094244,1094248,1094643,1095453,1096790,1097034,1097140,1097492,1097501,1097551,1097808,1097931,1097961,1098016,1098236,1098425,1098435,1098527,1098599,1099042,1099183,1099279,1099713,1099732,1099792,1099810,1099918,1099924,1099966,1099993,1100089,1100340,1100416,1100418,1100491,1100843,1101296 CVE References: CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-9385 Sources used: openSUSE Leap 42.3 (src): kernel-debug-4.4.140-62.2, kernel-default-4.4.140-62.2, kernel-docs-4.4.140-62.2, kernel-obs-build-4.4.140-62.3, kernel-obs-qa-4.4.140-62.1, kernel-source-4.4.140-62.2, kernel-syms-4.4.140-62.1, kernel-vanilla-4.4.140-62.2
openSUSE-SU-2018:2119-1: An update that solves 23 vulnerabilities and has 283 fixes is now available. Category: security (important) Bug References: 1022476,1046303,1046305,1046306,1046307,1046540,1046542,1046543,1048129,1050242,1050252,1050529,1050536,1050538,1050545,1050549,1050662,1051510,1052766,1055117,1055186,1055968,1056427,1056643,1056651,1056653,1056657,1056658,1056662,1056686,1056787,1058115,1058513,1058659,1058717,1059336,1060463,1061024,1061840,1062897,1064802,1065600,1065729,1066110,1066129,1068032,1068054,1068546,1071218,1071995,1072829,1072856,1073513,1073765,1073960,1074562,1074578,1074701,1074741,1074873,1074919,1074984,1075006,1075007,1075262,1075419,1075748,1075876,1076049,1076115,1076372,1076830,1077338,1078248,1078353,1079152,1079747,1080039,1080157,1080542,1081599,1082485,1082504,1082869,1082962,1083647,1083684,1083900,1084001,1084570,1084721,1085308,1085341,1085400,1085539,1085626,1085933,1085936,1085937,1085938,1085939,1085941,1086224,1086282,1086283,1086286,1086288,1086319,1086323,1086400,1086467,1086652,1086739,1087084,1087088,1087092,1087205,1087210,1087213,1087214,1087284,1087405,1087458,1087939,1087978,1088273,1088354,1088374,1088690,1088704,1088713,1088722,1088796,1088804,1088821,1088866,1088872,1089074,1089086,1089115,1089141,1089198,1089268,1089271,1089467,1089608,1089644,1089663,1089664,1089667,1089669,1089752,1089753,1089762,1089878,1089889,1089977,1090098,1090150,1090457,1090522,1090534,1090535,1090605,1090643,1090646,1090658,1090717,1090734,1090818,1090888,1090953,1091101,1091158,1091171,1091264,1091424,1091532,1091543,1091594,1091666,1091678,1091686,1091781,1091782,1091815,1091860,1091960,1092100,1092289,1092472,1092566,1092710,1092772,1092888,1092904,1092975,1093023,1093027,1093035,1093118,1093148,1093158,1093184,1093205,1093273,1093290,1093604,1093641,1093649,1093653,1093655,1093657,1093663,1093721,1093728,1093904,1093990,1094244,1094356,1094420,1094541,1094575,1094751,1094825,1094840,1094978,1095042,1095094,1095104,1095115,1095155,1095265,1095321,1095337,1095467,1095573,1095735,1095893,1096065,1096480,1096529,1096696,1096705,1096728,1096753,1096790,1096793,1097034,1097105,1097234,1097356,1097373,1097439,1097465,1097468,1097470,1097471,1097472,1097551,1097780,1097796,1097800,1097941,1097961,1098016,1098043,1098050,1098174,1098176,1098236,1098401,1098425,1098435,1098599,1098626,1098706,1098983,1098995,1099029,1099041,1099109,1099142,1099183,1099715,1099792,1099918,1099924,1099966,1100132,1100209,1100340,1100362,1100382,1100416,1100418,1100491,1100602,1100633,1100734,1100843,1101296,1101315,1101324,971975,975772 CVE References: CVE-2017-5715,CVE-2017-5753,CVE-2018-1000200,CVE-2018-1000204,CVE-2018-10087,CVE-2018-10124,CVE-2018-10323,CVE-2018-1092,CVE-2018-1093,CVE-2018-1094,CVE-2018-1108,CVE-2018-1118,CVE-2018-1120,CVE-2018-1130,CVE-2018-12233,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-5803,CVE-2018-5848,CVE-2018-7492,CVE-2018-8781,CVE-2018-9385 Sources used: openSUSE Leap 15.0 (src): kernel-debug-4.12.14-lp150.12.7.1, kernel-default-4.12.14-lp150.12.7.1, kernel-docs-4.12.14-lp150.12.7.1, kernel-kvmsmall-4.12.14-lp150.12.7.1, kernel-obs-build-4.12.14-lp150.12.7.1, kernel-obs-qa-4.12.14-lp150.12.7.1, kernel-source-4.12.14-lp150.12.7.1, kernel-syms-4.12.14-lp150.12.7.1, kernel-vanilla-4.12.14-lp150.12.7.1
SUSE-SU-2018:2150-1: An update that solves 5 vulnerabilities and has 47 fixes is now available. Category: security (important) Bug References: 1012382,1068032,1074562,1074578,1074701,1075006,1075419,1075748,1075876,1080039,1085185,1085657,1087084,1087939,1089525,1090435,1090888,1091171,1092207,1094244,1094248,1094643,1095453,1096790,1097034,1097140,1097492,1097501,1097551,1097808,1097931,1097961,1098016,1098236,1098425,1098435,1098527,1099042,1099183,1099279,1099713,1099732,1099810,1099918,1099924,1099966,1099993,1100089,1100340,1100416,1100418,1100491 CVE References: CVE-2017-5753,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-9385 Sources used: SUSE Linux Enterprise Real Time Extension 12-SP3 (src): kernel-rt-4.4.139-3.17.1, kernel-rt_debug-4.4.139-3.17.1, kernel-source-rt-4.4.139-3.17.1, kernel-syms-rt-4.4.139-3.17.1
SUSE-SU-2018:2222-1: An update that solves 8 vulnerabilities and has 132 fixes is now available. Category: security (important) Bug References: 1012382,1037697,1046299,1046300,1046302,1046303,1046305,1046306,1046307,1046533,1046543,1048129,1050242,1050529,1050536,1050538,1050540,1050549,1051510,1054245,1056651,1056787,1058115,1058169,1058659,1060463,1066110,1068032,1075087,1075360,1075876,1077338,1077761,1077989,1078248,1085042,1085536,1085539,1086282,1086283,1086286,1086301,1086313,1086314,1086319,1086323,1086324,1086457,1086652,1087092,1087202,1087217,1087233,1087978,1088821,1088866,1090098,1090888,1091041,1091171,1091424,1091860,1092472,1093035,1093118,1093148,1093290,1093666,1094119,1094244,1094978,1095155,1095337,1096330,1096529,1096790,1096793,1097034,1097583,1097584,1097585,1097586,1097587,1097588,1097941,1097961,1098050,1098236,1098401,1098599,1098626,1098633,1098706,1098983,1098995,1099029,1099041,1099109,1099142,1099183,1099193,1099715,1099792,1099918,1099924,1099966,1100132,1100209,1100340,1100362,1100382,1100416,1100418,1100491,1100602,1100633,1100843,1100884,1101143,1101296,1101315,1101324,1101337,1101352,1101564,1101669,1101674,1101789,1101813,1101816,1102088,1102097,1102147,1102340,1102512,1102851,1103216,1103220,1103230,1103421 CVE References: CVE-2017-18344,CVE-2017-5753,CVE-2018-1118,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-5390,CVE-2018-9385 Sources used: SUSE Linux Enterprise Module for Public Cloud 15 (src): kernel-azure-4.12.14-5.8.1, kernel-source-azure-4.12.14-5.8.1, kernel-syms-azure-4.12.14-5.8.1