First Last Prev Next    This bug is not in your last search results.
Bug 1199509 - (CVE-2022-0171) VUL-0: CVE-2022-0171: kernel-source,kernel-source-rt,kernel-source-azure: kernel: KVM: cache incoherence issue in SEV API may lead to kernel crash
(CVE-2022-0171)
VUL-0: CVE-2022-0171: kernel-source,kernel-source-rt,kernel-source-azure: ker...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/331582/
CVSSv3.1:SUSE:CVE-2022-0171:5.5:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-13 08:36 UTC by Carlos López
Modified: 2023-01-18 17:40 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-05-13 08:36:57 UTC 
rh#2038940

The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports SEV.

Upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bb4ce2c65881a2b9bdcd384f54a260a12a89dd91

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2038940
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0171
Comment 1 Carlos López 2022-05-13 08:46:50 UTC 
cve/linux-4.4 and older do not have SEV support, so they are not affected.

For cve/linux-4.12 and cve/linux-5.3 the SEV code looks quite different, and I can't really find the equivalent cache flushes. In fact, only the code in SLE15-SP3 checks for hardware-enforced cache coherency. Thus, I'm tracking them as affected, but please let me know if this is not correct.

SLE15-SP4-GA is also affected.
Comment 3 Jan Kara 2022-05-13 20:36:28 UTC 
Joerg, I think this is for you. See details of security bug handling at https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security
Comment 4 Joerg Roedel 2022-05-19 12:16:55 UTC 
Hi Carlos,

(In reply to Carlos López from comment #2)
> The relevant upstream commits seem to be the following:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=4bbef7e8eb8c2c7dabf57d97decfd2b4f48aaf02
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=d45829b351ee6ec5f54dd55e6aca1f44fe239fe6

Just for my personal interest, where did you get the above two commits from? I can't find them referenced in any of the related documents.

> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=683412ccf61294d727ead4a73d97397396e69a6b
Comment 7 Joerg Roedel 2022-05-19 14:34:12 UTC 
SLE15-SP4 backport is in users/jroedel/SLE15-SP4-GA/bsc1199509
Comment 8 Takashi Iwai 2022-05-19 14:48:02 UTC 
(In reply to Joerg Roedel from comment #7)
> SLE15-SP4 backport is in users/jroedel/SLE15-SP4-GA/bsc1199509

I think that this bug doesn't qualify for GA-merge, as CVSS is too low.
Comment 9 Joerg Roedel 2022-05-19 16:08:22 UTC 
Backport for 5.3 is here:

users/jroedel/cve/linux-5.3/bsc1199509

It only required https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=683412ccf61294d727ead4a73d97397396e69a6b

The other two commits are only needed with SEV-ES host support, which is not in 5.3.

Claudio, some changes to the patch were needed for the above backport. Could someone from your team have a look and do an additional review, please?
Comment 10 Joerg Roedel 2022-05-19 16:09:24 UTC 
(In reply to Takashi Iwai from comment #8)
> (In reply to Joerg Roedel from comment #7)
> > SLE15-SP4 backport is in users/jroedel/SLE15-SP4-GA/bsc1199509
> 
> I think that this bug doesn't qualify for GA-merge, as CVSS is too low.

Understood, thanks. Will move it over to the SLE15-SP4 branch.
Comment 11 Joerg Roedel 2022-05-20 05:57:31 UTC 
SLE15-SP4 b(In reply to Takashi Iwai from comment #8)
> (In reply to Joerg Roedel from comment #7)
> > SLE15-SP4 backport is in users/jroedel/SLE15-SP4-GA/bsc1199509
> 
> I think that this bug doesn't qualify for GA-merge, as CVSS is too low.

SLE15-SP4 backport now in users/jroedel/SLE15-SP4/bsc1199509
Comment 12 Dario Faggioli 2022-05-20 07:01:55 UTC 
(In reply to Joerg Roedel from comment #9)
> Backport for 5.3 is here:
> 
> users/jroedel/cve/linux-5.3/bsc1199509
> 
> It only required
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=683412ccf61294d727ead4a73d97397396e69a6b
> 
> Claudio, some changes to the patch were needed for the above backport. Could
> someone from your team have a look and do an additional review, please?
>
Hi! I've just had a look. The patch looks ok to me, and I also think it is a proper backport of the referenced upstream commit.
Comment 13 Joerg Roedel 2022-05-24 11:51:54 UTC 
(In reply to Dario Faggioli from comment #12)

> Hi! I've just had a look. The patch looks ok to me, and I also think it is a
> proper backport of the referenced upstream commit.

Thanks for your review, Dario! I pushed the change for inclusion into cve/linux-5.3.
Comment 14 Joerg Roedel 2022-06-02 09:29:21 UTC 
These branches contain the fix(es):

* master via upstream
* stable via upstream
* SLE15-SP4 via backport
* cve/linux-5.3 via backport

All older branches are not affected by this issue. Assigning back.
Comment 34 Gabriele Sonnu 2022-07-19 13:58:55 UTC 
Done.
First Last Prev Next    This bug is not in your last search results.