Bug 1695044 (CVE-2019-3887)

Summary: CVE-2019-3887 Kernel: KVM: nVMX: guest accesses L0 MSR causes potential DoS
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, ptalbert, rt-maint, rvrbovsk, security-response-team, steved, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific Register (MSR) access with nested(=1) virtualization enabled. In that, L1 guest could access L0's APIC register values via L2 guest, when 'virtualize x2APIC mode' is enabled. A guest could use this flaw to potentially crash the host kernel resulting in DoS issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-12 12:45:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1697187, 1697198, 1697199, 1697200, 1697201    
Bug Blocks: 1695003    

Description Prasad Pandit 2019-04-02 11:30:10 UTC 
A flaw was found in the way KVM hypervisor handled x2APIC Machine Specific
Rregister(MSR) access with nested(=1) virtualization enabled. In that, L1 guest
could access L0's APIC register values via L2 guest, when 'virtualize x2APIC
mode' is enabled.

A guest could use this flaw to potentially crash the host kernel resulting in
DoS issue.

Upstream patches:
-----------------
  -> https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=acff78477b9b4f26ecdf65733a4ed77fe837e9dc
  -> https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=c73f4c998e1fd4249b9edfa39e23f4fda2b9b041

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/04/08/1
Comment 2 Prasad Pandit 2019-04-03 10:07:30 UTC 
Acknowledgments:

Name: Marc Orr (Google.com)
Comment 3 Prasad Pandit 2019-04-08 04:20:36 UTC 
Statement:

This issue does not affect the version of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.
Comment 4 Prasad Pandit 2019-04-08 04:21:37 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1697187]
Comment 6 Fedora Update System 2019-04-13 01:30:32 UTC 
kernel-5.0.7-100.fc28, kernel-headers-5.0.7-100.fc28, kernel-tools-5.0.7-100.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2019-04-13 15:32:42 UTC 
kernel-5.0.7-200.fc29, kernel-headers-5.0.7-200.fc29, kernel-tools-5.0.7-200.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 errata-xmlrpc 2019-09-10 19:00:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703
Comment 10 errata-xmlrpc 2019-09-11 16:42:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741
Comment 11 Product Security DevOps Team 2019-09-12 12:45:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3887