Bug 1805135 (CVE-2020-2732)

Summary: CVE-2020-2732 Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, klaas, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, pbonzini, ppandit, qzhao, rt-maint, rvrbovsk, security-response-team, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-12 16:32:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1806816, 1806817, 1806818, 1806819, 1806820, 1824398, 1824399    
Bug Blocks: 1805137    
Attachments:
Description Flags
Preliminary patch none

Description Marian Rehak 2020-02-20 10:49:58 UTC 
Under certain circumstances, an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources that are supposed to be inaccessible to the L2 guest according to L1 hypervisor configuration.

Only Intel processors are affected. It requires netsted virtualization to be enabled, ie. kvm-intel.nested=1.

Upstream patch(es):
-------------------
  -> https://www.spinics.net/lists/kvm/msg208259.html
  -> https://git.kernel.org/linus/07721feee46b4b248402133228235318199b05ec
  -> https://git.kernel.org/linus/35a571346a94fb93b5b3b6a599675ef3384bc75c
  -> https://git.kernel.org/linus/e71237d3ff1abf9f3388337cfebf53b96df2020d

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/02/25/3
Comment 1 Marian Rehak 2020-02-20 10:50:06 UTC 
Acknowledgments:

Name: Paolo Bonzini (Red Hat)
Comment 2 Marian Rehak 2020-02-20 10:52:19 UTC 
Created attachment 1664312 [details]
Preliminary patch
Comment 3 Prasad Pandit 2020-02-25 05:18:17 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1806816]
Comment 5 Paolo Bonzini 2020-03-04 15:18:28 UTC 
Also: https://git.kernel.org/linus/86f7e90ce840aa1db407d3ea6e9b3a52b2ce923c
Comment 8 errata-xmlrpc 2020-05-12 15:27:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2102 https://access.redhat.com/errata/RHSA-2020:2102
Comment 9 Product Security DevOps Team 2020-05-12 16:32:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-2732
Comment 10 errata-xmlrpc 2020-05-14 19:06:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2171 https://access.redhat.com/errata/RHSA-2020:2171
Comment 11 errata-xmlrpc 2020-09-29 18:59:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4062 https://access.redhat.com/errata/RHSA-2020:4062
Comment 12 errata-xmlrpc 2020-09-29 20:53:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4060 https://access.redhat.com/errata/RHSA-2020:4060