808990 – (CVE-2021-3653, CVE-2021-3656) SVM nested virtualization issues in KVM

Bug 808990 (CVE-2021-3653, CVE-2021-3656) - SVM nested virtualization issues in KVM

Summary: SVM nested virtualization issues in KVM

Status:	RESOLVED FIXED

Alias:	CVE-2021-3653, CVE-2021-3656

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Kernel Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:
Keywords:

Depends on:	808936 808939
Blocks:
	Show dependency tree

Reported:	2021-08-19 05:10 UTC by Michał Górny
Modified:	2022-03-26 01:35 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2021-08-19 05:10:36 UTC

Fixed in 5.4.142, 5.10.60, 5.13.12. I don't know if 4.x are affected.

From $URL:

---------------------
CVE-2021-3653
----------------------
This issue is caused by missing validation of the `int_ctl` VMCB field
and allows a malicious L1 guest to enable AVIC support (Advanced
Virtual Interrupt Controller) for the L2 guest. The L2 guest is able
to write to a limited but still relatively large subset of the host
physical memory. Note that AVIC is currently not supported with
nesting and it is not advertised in the L1 CPUID.

This bug dates back to kernel 2.6.30 where it was first introduced via
commit: https://github.com/torvalds/linux/commit/3d6368ef580a.

CVE-2021-3653 has been assigned by Red Hat, Inc.

----------------------
CVE-2021-3656
----------------------
This issue is caused by missing validation of the the `virt_ext` VMCB
field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE
intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. Under
these circumstances, the L2 guest is able to run VMLOAD/VMSAVE
unintercepted, and thus read/write portions of the host physical
memory.

This bug was introduced in kernel version 4.13 while enabling the
Virtual VMLOAD/VMSAVE feature:
https://github.com/torvalds/linux/commit/89c8a4984fc9.

CVE-2021-3656 has been assigned by Red Hat, Inc.

---------
Impact
---------
The nested guest (L2) could use these flaws to read/write physical
pages of the host, resulting in a crash of the entire system, leak of
sensitive data or potential guest-to-host escape.

-------------
Mitigation
-------------
Both vulnerabilities can be mitigated by disabling the nested
virtualization feature when loading kvm:
# modprobe kvm_amd nested=0

Disabling VLS (Virtual VMLOAD/VMSAVE) is an alternative mitigation for
CVE-2021-3656:
# modprobe kvm_amd vls=0

----------
Credits
----------
CVE-2021-3653: Maxim Levitsky (Red Hat)
CVE-2021-3656: Maxim Levitsky (Red Hat) and Paolo Bonzini (Red Hat)

--------
Patch
--------
CVE-2021-3653: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=0f923e07124df069ba68d8bb12324398f4b6b709
CVE-2021-3656: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc

Comment 1 Larry the Git Cow gentoo-dev

2021-08-28 06:53:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f893aaebf4beadb0d6062f970dc86f25db9cce0

commit 2f893aaebf4beadb0d6062f970dc86f25db9cce0
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-08-28 06:32:08 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-08-28 06:53:55 +0000

    package.mask: Mask vulnerable EOL kernels
    
    Bug: https://bugs.gentoo.org/808990
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 8 ++++++++
 1 file changed, 8 insertions(+)

Comment 2 John Helmert III archtester

2022-03-26 01:35:06 UTC

Fixes in 4.9.281, 4.14.245, 4.19.205, 5.4.142, 5.10.60, 5.14. All done.