Bug 2213802 (CVE-2023-4155)

Summary: CVE-2023-4155 kernel: KVM: SEV-ES / SEV-SNP VMGEXIT double fetch vulnerability
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bdas, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, pbonzini, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, sukulkar, tglozar, tyberry, vkumar, vkuznets, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2213805, 2213806, 2213807, 2213808, 2229642    
Bug Blocks: 2196446    

Description Mauro Matteo Cascella 2023-06-09 12:51:46 UTC 
A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can theoretically trigger a stack overflow and cause a denial-of-service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`).
Comment 2 Mauro Matteo Cascella 2023-06-09 13:31:42 UTC 
RHEL-6 and RHEL-7 kernels are not affected by this flaw as they did not include support for KVM AMD Secure Encrypted Virtualization (SEV).
Comment 3 Mauro Matteo Cascella 2023-06-09 13:41:53 UTC 
In reply to comment #0:
> [..] potentially guest-to-host escape in kernel configurations without
> stack guard pages (`CONFIG_VMAP_STACK`).

Note that this kernel option is enabled by default in Red Hat Enterprise Linux 8 and 9.
Comment 8 Mauro Matteo Cascella 2023-08-07 07:29:54 UTC 
Patch series:
https://patchew.org/linux/20230804173355.51753-1-pbonzini@redhat.com/

Patch:
https://patchew.org/linux/20230804173355.51753-1-pbonzini@redhat.com/20230804173355.51753-3-pbonzini@redhat.com/
Comment 9 Mauro Matteo Cascella 2023-08-07 07:30:29 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2229642]
Comment 10 errata-xmlrpc 2023-11-07 08:20:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583
Comment 11 errata-xmlrpc 2023-11-14 15:15:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6901 https://access.redhat.com/errata/RHSA-2023:6901
Comment 12 errata-xmlrpc 2023-11-14 15:21:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7077 https://access.redhat.com/errata/RHSA-2023:7077