Bugzilla – Bug 1214022
VUL-0: CVE-2023-4155: kernel: KVM SEV-ES / SEV-SNP VMGEXIT double fetch vulnerability
Last modified: 2024-06-25 17:53:33 UTC
CVE-2023-4155 A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can theoretically trigger a stack overflow and cause a denial-of-service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4155 https://bugzilla.redhat.com/show_bug.cgi?id=2213802
https://patchew.org/linux/20230804173355.51753-1-pbonzini@redhat.com/ https://patchew.org/linux/20230804173355.51753-1-pbonzini@redhat.com/20230804173355.51753-3-pbonzini@redhat.com/
CONFIG_VMAP_STACK enabled since SLE12-SP4 (x86_64), since SLE15-SP2 for all archs
Gently ping. We are almost in the middle of SLA.
Patch series can be found at https://lore.kernel.org/lkml/20230804173355.51753-2-pbonzini@redhat.com/T/#md9b752b8c3522b78e7effa4ed7822ab35619d518. Although the CVE impact is mitigated by CONFIG_VMAP_STACK being enabled, it certainly makes sense to port these patches to affected kernels to prevent the denial of service. Patches are already present in SLE15-SP6, ALP-current & main. Backport to SLE15-SP4 is currently in progress.
Backport to SLE15-SP4 has been submitted.
The patch seems missing in SLE15-SP6 branch. Roy, could you backport it there, too? Note that the branch was created after the comment 4 time point.
Two of the three patches from the series are already present in SLE15-SP6: patches.suse/KVM-SEV-snapshot-the-GHCB-before-accessing-it.patch patches.suse/KVM-SEV-only-access-GHCB-fields-once.patch The other patch only includes a code tidy-up and no functional changes. I have a backport ready for the patch but don't see it as required to address this bug as the two present patches perform the actual fix so haven't actually pushed it yet. Do you want me to push it?
SUSE-SU-2023:4058-1: An update that solves 18 vulnerabilities, contains three features and has 71 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1152472, 1187236, 1201284, 1202845, 1206453, 1208995, 1210169, 1210643, 1210658, 1212639, 1212703, 1213123, 1213534, 1213808, 1214022, 1214037, 1214040, 1214233, 1214351, 1214479, 1214543, 1214635, 1214813, 1214873, 1214928, 1214940, 1214941, 1214942, 1214943, 1214944, 1214945, 1214946, 1214947, 1214948, 1214949, 1214950, 1214951, 1214952, 1214953, 1214954, 1214955, 1214957, 1214958, 1214959, 1214961, 1214962, 1214963, 1214964, 1214965, 1214966, 1214967, 1214986, 1214988, 1214990, 1214991, 1214992, 1214993, 1214995, 1214997, 1214998, 1215115, 1215117, 1215123, 1215124, 1215148, 1215150, 1215221, 1215275, 1215322, 1215467, 1215523, 1215581, 1215752, 1215858, 1215860, 1215861, 1215875, 1215877, 1215894, 1215895, 1215896, 1215899, 1215911, 1215915, 1215916, 1215941, 1215956, 1215957 CVE References: CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-37453, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-40283, CVE-2023-4155, CVE-2023-42753, CVE-2023-42754, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921, CVE-2023-5345 Jira References: PED-1549, PED-2023, PED-2025 Sources used: openSUSE Leap 15.5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1 Public Cloud Module 15-SP5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
If they are in SP5, better to be applied to SP6 at the same time, too.
Final patch in the series has now been merged to SLE15-SP6 branch and tagged with BSC/CVE.
done, closing