Bug 1671930 (CVE-2019-7222)

Summary: CVE-2019-7222 Kernel: KVM: leak of uninitialized stack contents to guest
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, pbonzini, plougher, rt-maint, rvrbovsk, security-response-team, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An information leakage issue was found in the way Linux kernel's KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a mmio address, as the returned exception object holds uninitialized stack memory contents. A guest user/process could use this flaw to leak host's stack memory contents to a guest.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:21:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1671931, 1671932, 1673686, 1673845, 1673846    
Bug Blocks: 1671898    

Description Prasad Pandit 2019-02-02 07:08:31 UTC
An information leakage issue was found in the way Linux kernel's KVM hypervisor
handled page fault exception while emulating instructions like VMXON, VMCLEAR,
VMPTRLD, VMWRITE with memory address as an operand. It occurs if the operand is
an mmio address, as the returned exception object holds uninitialised stack memory
contents.

A guest user/process could use this flaw to leak host's stack memory contents
to a guest.

It affects only Intel processors and only when nested virtualization is
enabled.

Upstream patch:
---------------
  -> https://git.kernel.org/linus/353c0956a618a07ba4bbe7ad00ff29fe70e8412a

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/02/18/2

Comment 2 Prasad Pandit 2019-02-06 07:12:05 UTC
Acknowledgments:

Name: Felix Wilhelm (Google)

Comment 4 Prasad Pandit 2019-02-07 19:01:15 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1673686]

Comment 6 Eric Christensen 2019-02-08 15:20:07 UTC
Statement:

This issue does not affect the version of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG 2.

This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 7. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue.

Note:- Impact on Red Hat Enterprise Linux 7 kernel is limited, as it requires that nested virtualization feature is enabled on a system. Nested Virtualization feature is available only as - Technology Preview.

Comment 7 errata-xmlrpc 2019-08-06 12:04:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029

Comment 8 errata-xmlrpc 2019-08-06 12:07:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043

Comment 9 Product Security DevOps Team 2019-08-06 13:21:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-7222

Comment 11 errata-xmlrpc 2019-11-05 20:35:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309

Comment 12 errata-xmlrpc 2019-11-05 21:05:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517