Bug 1947982 (CVE-2020-36310)

Summary: CVE-2020-36310 kernel: infinite loop in set_memory_region_test in arch/x86/kvm/svm/svm.c for certain nested page faults
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, blc, bmasney, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, steved, tomckay, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: linux-kernel 5.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A nested page fault is created when an address does not have a memslot associated to it. The highest threat from this vulnerability is to system availability. This flaw can be triggered using a malformed Virtual Machine. When triggered this bug will lead to the user-space component of KVM to freeze.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-01 10:56:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1947983    
Bug Blocks: 1947984    

Description Guilherme de Almeida Suckevicz 2021-04-09 16:53:36 UTC
An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults.

Reference and upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-04-09 16:54:28 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1947983]

Comment 2 Justin M. Forbes 2021-04-12 21:18:21 UTC
This was fixed for Fedora with the 5.8 kernel rebases.

Comment 3 Jan Werner 2021-05-04 11:39:01 UTC
From Paolo Bonzini:
On 30/04/21 20:32, Jan Werner wrote:
> So to trigger this flaw one would have to run a nested Virtual Machine,
> and attempt to execute the code from an instruction pointer that does
> not have a memslost assigned to that memory location?
> If that's the case, what conditions need to occur for that to happen?

You don't need a nested virtual machine.  This is a "nested page fault",
ie. a guest-to-hypervisor page fault.  You just need to run the KVM
selftests to reproduce the bug.

> I saw the discussion here:
> http://lkml.iu.edu/hypermail/linux/kernel/2004.2/03025.html
> <http://lkml.iu.edu/hypermail/linux/kernel/2004.2/03025.html>
> And I believe that I understand the conditions observed in the testing.
> Can you help me understand how those conditions can be reproduced in the
> production?

The bug would happen when the VM executes from a non-existing address;
in production it would only happen with a buggy VM.  Instead of exiting
immediately with an error, it would retry forever (but it's
interruptible with Ctrl-C, i.e. not a serious issue).  Who decided to
give this bug a CVE, and can it be retracted?  This is just a bug with
no security consequences.