Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 525490 - Kernel: KVM multiple DOS vulnerabilites (CVE-2014-{3610,3611,3645,3646,3647})
Summary: Kernel: KVM multiple DOS vulnerabilites (CVE-2014-{3610,3611,3645,3646,3647})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL:
Whiteboard:
Keywords:
: CVE-2014-3610 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-10-15 10:59 UTC by Stefan Behte (RETIRED)
Modified: 2022-03-25 22:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
0001-KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch (0001-KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch,4.31 KB, patch)
2014-10-15 10:59 UTC, Stefan Behte (RETIRED) 		no flags Details | Diff
0001-KVM-x86-Prevent-guest-from-writing-non-canonical-MSR.patch (0001-KVM-x86-Prevent-guest-from-writing-non-canonical-MSR.patch,3.14 KB, patch)
2014-10-15 10:59 UTC, Stefan Behte (RETIRED) 		no flags Details | Diff
CVE-2014-3611.patch (CVE-2014-3611.patch,1.02 KB, patch)
2014-10-15 11:00 UTC, Stefan Behte (RETIRED) 		no flags Details | Diff
CVE-2014-3646.patch (CVE-2014-3646.patch,2.82 KB, patch)
2014-10-15 11:00 UTC, Stefan Behte (RETIRED) 		no flags Details | Diff
CVE-2014-3647.mbox (CVE-2014-3647.mbox,58.71 KB, application/mbox)
2014-10-15 11:00 UTC, Stefan Behte (RETIRED) 		no flags Details
Contains 0001-KVM* (CVE-2014-3610-patches.tgz,2.98 KB, application/x-gzip)
2014-10-15 11:01 UTC, Stefan Behte (RETIRED) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2014-10-15 10:59:14 UTC 
Created attachment 386716 [details, diff]
0001-KVM-x86-Check-non-canonical-addresses-upon-WRMSR.patch

From Vendorsec, I got the patches from Petr Matousek (pmatouse@redhat.com).
The embargo lift date is is 2014-10-28.


CVE-2014-3646 kernel: kvm: vmx: invvpid vm exit not handled
	IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
	causes vm exit, which is currently not handled and causes unknown
	exit error to be propagated to userspace.

	A local unprivileged guest user could use this flaw to crash the
	guest.

	Reported by Advanced Threat Research team at Intel Security.
  

CVE-2014-3645 kernel: kvm: vmx: invept vm exit not handled
	On systems with invept instruction support (corresponding bit in
	IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invept
	causes vm exit, which is currently not handled and causes unknown
	exit error to be propagated to userspace.

	A local unprivileged guest user could use this flaw to crash the
	guest.

        Reported by Advanced Threat Research team at Intel Security.

	Upstream fix:

	http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bfd0a56b90005f8c8a004baf407ad90045c2b11e


CVE-2014-3611 kernel: kvm: PIT timer race condition
	There's a race condition in the PIT emulation code in KVM.  In
	__kvm_migrate_pit_timer the pit_timer object is accessed without
	synchronization.

	A local guest user with access to the PIT i/o ports could use this flaw to
	crash the host.

	Reported by Lars Bull of Google.


CVE-2014-3610 kernel: kvm: noncanonical MSR writes
	If the guest writes a noncanonical value to certain MSR registers, KVM will
	write that value to the MSR in the host context and a #GP will be raised
	leading to kernel panic.

	A privileged guest user can use this flaw to crash the host.

	Enabling CONFIG_PARAVIRT when building the kernel mitigates this issue
	because wrmsrl() ends up invoking safe msr write variant.

	Independently reported by Lars Bull of Google and Nadav Amit.


CVE-2014-3647 kernel: kvm: noncanonical rip after emulation
	kvm currently mishandles noncanonical addresses when emulating instructions
	that change rip (eg branches, calls), potentially causing a failed VM-entry.

	A guest user with access to I/O or MMIO region can use this flaw to crash the
	guest.

	Reported by Nadav Amit.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2014-10-15 10:59:43 UTC 
Created attachment 386718 [details, diff]
0001-KVM-x86-Prevent-guest-from-writing-non-canonical-MSR.patch
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2014-10-15 11:00:05 UTC 
Created attachment 386720 [details, diff]
CVE-2014-3611.patch
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2014-10-15 11:00:22 UTC 
Created attachment 386722 [details, diff]
CVE-2014-3646.patch
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2014-10-15 11:00:53 UTC 
Created attachment 386724 [details]
CVE-2014-3647.mbox
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2014-10-15 11:01:51 UTC 
Created attachment 386726 [details]
Contains 0001-KVM*
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2014-10-15 11:04:30 UTC 
Let's just bump after the new kernel is out.
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-04 01:13:31 UTC 
Unrestricting this bug since we are WAY past the embargo and the issues are now public.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2015-01-04 01:14:07 UTC 
*** Bug 526676 has been marked as a duplicate of this bug. ***
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 01:15:39 UTC 
CVE-2014-3647 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3647):
  arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through
  3.17.2 does not properly perform RIP changes, which allows guest OS users to
  cause a denial of service (guest OS crash) via a crafted application.

CVE-2014-3646 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3646):
  arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2
  does not have an exit handler for the INVVPID instruction, which allows
  guest OS users to cause a denial of service (guest OS crash) via a crafted
  application.

CVE-2014-3645 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3645):
  arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does
  not have an exit handler for the INVEPT instruction, which allows guest OS
  users to cause a denial of service (guest OS crash) via a crafted
  application.

CVE-2014-3611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3611):
  Race condition in the __kvm_migrate_pit_timer function in
  arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2
  allows guest OS users to cause a denial of service (host OS crash) by
  leveraging incorrect PIT emulation.

CVE-2014-3610 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3610):
  The WRMSR processing functionality in the KVM subsystem in the Linux kernel
  through 3.17.2 does not properly handle the writing of a non-canonical
  address to a model-specific register, which allows guest OS users to cause a
  denial of service (host OS crash) by leveraging guest OS privileges, related
  to the wrmsr_interception function in arch/x86/kvm/svm.c and the
  handle_wrmsr function in arch/x86/kvm/vmx.c.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-25 22:27:50 UTC 
Fixes all in by 4.6