Bug 1809948 (CVE-2020-10702)

Summary: CVE-2020-10702 qemu: weak signature generation in Pointer Authentication support for ARM
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ailan, amit, areis, berrange, cfergeau, ddepaula, drjones, dwmw2, imammedo, itamar, jen, jferlan, jforbes, jjoyce, jmaloy, jschluet, knoel, lhh, lkundrak, lpeer, m.a.young, mburns, mkenneth, mrezanin, mst, pbonzini, ribarry, rjones, robinlee.sysu, sclewis, security-response-team, slinaber, virt-maint, virt-maint, vkuznets, xen-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qemu 5.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 10:42:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1813940, 1820234    
Bug Blocks: 1809099    

Description Mauro Matteo Cascella 2020-03-04 09:42:50 UTC 
A flaw was found in QEMU Pointer Authentication (PAuth) support for ARM introduced in version 4.0.
Specifically, a general failure of the signature generation process causes every PAuth-enforced pointer to be signed with the same signature, resulting in weaker encryption than advertised by the design of the PAuth technique.

An attacker can easily obtain the signature of the protected pointer, and bypass PAuth through brute force guessing or information disclosure vulnerabilities, and all programs running on QEMU will lose protection from PAuth.
Comment 2 Andrew Jones 2020-03-09 19:24:12 UTC 
(In reply to Mauro Matteo Cascella from comment #1)
> Statement:
> 
> This flaw did not affect the versions of `qemu-kvm-ma` as shipped with Red
> Hat Enterprise Linux for ARM 64 7 as they did not include support for
> Pointer Authentication. The same is true for the versions of `qemu-kvm` as
> shipped with Red Hat Enterprise Linux 6, 7 and 8.

qemu-kvm-av (Advanced Virtualization) is based on QEMU 4.2 for RHEL 8.2, so it does contain PAuth support. However, we don't generally support the use of QEMU as an emulator. We only support its use with KVM. Additionally, the RHEL 8 guest kernel (which is the only supported guest kernel) already has ARM64_USER_VA_BITS_52 enabled, so nobody should be counting on PAuth with that.

I agree with keeping the priority/severity of this bug low.
Comment 5 Joshua Padman 2020-03-11 22:35:40 UTC 
Statement:

Several packages are unaffected because they do not include support for Pointer Authentication. These include:
* `qemu-kvm-ma` as shipped with Red Hat Enterprise Linux for ARM 64 7
* `qemu-kvm` as shipped with Red Hat Enterprise Linux 6, 7 and 8
* `qemu-kvm-rhev` as shipped with Red Hat OpenStack Platform 10 and 13
Comment 11 Mauro Matteo Cascella 2020-04-02 10:22:02 UTC 
Upstream fix:
https://git.qemu.org/?p=qemu.git;a=commit;h=de0b1bae6461f67243282555475f88b2384a1eb9
Comment 12 Mauro Matteo Cascella 2020-04-02 14:54:00 UTC 
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1820234]
Comment 14 Mauro Matteo Cascella 2020-04-06 10:28:04 UTC 
Acknowledgments:

Name: Xingman Chen, Yuan Li (NISL, Tsinghua University)