Bug 1836244 (CVE-2020-12888)

Summary: CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some devices may lead to DoS scenario
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, alex.williamson, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, jmaloy, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, mvanderw, nmurray, ptalbert, qzhao, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, where it allows userspace processes, for example, a guest VM, to directly access h/w devices via its VFIO driver modules. The VFIO modules allow users to enable or disable access to the devices' MMIO memory address spaces. If a user attempts to access the read/write devices' MMIO address space when it is disabled, some h/w devices issue an interrupt to the CPU to indicate a fatal error condition, crashing the system. This flaw allows a guest user or process to crash the host system resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-23 17:20:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1820632, 1836245, 1837291, 1837292, 1837293, 1837294, 1837295, 1837297, 1837298, 1837299, 1837300, 1837301, 1837302, 1837303, 1837304, 1837305, 1837306, 1837307, 1837308, 1837309, 1837310, 1837311, 1837312, 1837313, 1837314    
Bug Blocks: 1827369    

Description Prasad Pandit 2020-05-15 13:13:38 UTC 
Linux kernel allows user space processes (like guest VM) to directly access h/w devices via its VFIO driver modules. The VFIO modules allow users to enable or disable access to the devices' MMIO memory address spaces. If a user attempts to access(r/w) devices' MMIO address space, when it is disabled, some h/w devices issue an interrupt to the CPU to indicate a fatal error condition, essentially crashing down the system. A guest user/process may use this flaw to crash the host system resulting in DoS scenario.

Upstream patches:
-----------------
  -> https://lore.kernel.org/kvm/158871570274.15589.10563806532874116326.stgit@gimli.home/
  -> https://lore.kernel.org/kvm/158871401328.15589.17598154478222071285.stgit@gimli.home/

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/05/19/6
Comment 1 Prasad Pandit 2020-05-15 13:14:11 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1836245]
Comment 3 RaTasha Tillery-Smith 2020-05-18 15:27:06 UTC 
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
This issue affects the versions of the kernel package as shipped with Red Hat Enterprise Linux 7 and 8. Future kernel updates for Red Hat Enterprise Linux 7 and 8 may address this issue.
Comment 9 errata-xmlrpc 2020-06-23 12:25:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2664 https://access.redhat.com/errata/RHSA-2020:2664
Comment 10 errata-xmlrpc 2020-06-23 12:26:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2665 https://access.redhat.com/errata/RHSA-2020:2665
Comment 11 Product Security DevOps Team 2020-06-23 17:20:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12888
Comment 12 errata-xmlrpc 2020-07-07 08:27:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:2831 https://access.redhat.com/errata/RHSA-2020:2831
Comment 13 errata-xmlrpc 2020-07-07 08:37:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:2832 https://access.redhat.com/errata/RHSA-2020:2832
Comment 14 errata-xmlrpc 2020-07-07 09:52:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2851 https://access.redhat.com/errata/RHSA-2020:2851
Comment 15 errata-xmlrpc 2020-07-07 13:19:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2854 https://access.redhat.com/errata/RHSA-2020:2854
Comment 17 errata-xmlrpc 2020-07-21 11:05:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3010 https://access.redhat.com/errata/RHSA-2020:3010
Comment 18 errata-xmlrpc 2020-07-21 11:23:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3016 https://access.redhat.com/errata/RHSA-2020:3016
Comment 19 errata-xmlrpc 2020-07-21 13:41:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3019 https://access.redhat.com/errata/RHSA-2020:3019
Comment 20 errata-xmlrpc 2020-07-21 14:32:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3041 https://access.redhat.com/errata/RHSA-2020:3041
Comment 22 errata-xmlrpc 2020-07-29 19:37:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3222 https://access.redhat.com/errata/RHSA-2020:3222
Comment 23 errata-xmlrpc 2020-07-29 21:40:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3230 https://access.redhat.com/errata/RHSA-2020:3230