Bug 1527112 (CVE-2017-17741)

Summary: CVE-2017-17741 kernel: kvm: stack-based out-of-bounds read via vmcall instruction
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, esammons, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, pbonzini, plougher, ppandit, rt-maint, rvrbovsk, skozina, steved, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Linux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-16 15:26:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1527113, 1527114    
Bug Blocks: 1527116    

Description Adam Mariš 2017-12-18 15:12:49 UTC 
Linux kernel built with the KVM virtualization(CONFIG_KVM) support is vulnerable
to an out-of-bounds read access issue. It could occur when emulating vmcall instruction invoked by a guest.

A guest user/process could use this flaw to disclose kernel memory bytes.

Upstream patch:
---------------
  -> https://www.spinics.net/lists/kvm/msg160796.html

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2017/12/19/2
Comment 1 Adam Mariš 2017-12-18 15:17:20 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1527113]
Comment 5 Vladis Dronov 2018-01-04 17:48:12 UTC 
Reproducer:
Comment 6 Eric Christensen 2018-01-04 18:27:30 UTC 
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.

This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 6 and 7.

This has been rated as having Low security impact and is not currently
planned to be addressed in future updates. For additional information, refer
to the Red Hat Enterprise Linux Life Cycle:
https://access.redhat.com/support/policy/updates/errata/.
Comment 8 Paolo Bonzini 2018-11-16 15:26:22 UTC 
Fixed by upstream commit e39d200fa5bf5b94a0948db0dae44c1b73b84a56, included in Linux 4.15