Bug 2250458 (AMD-SN-3007, CVE-2023-31346)

Summary: CVE-2023-31346 kernel: Reserved fields in guest message responses may not be zero initialized
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, jforbes, security-response-team, sidakwo, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in some AMD CPUs where the guest message responses have not been zero-initialized. This issue may allow a local attacker with the ability to run arbitrary code on a container or virtual machine to discover sensitive information contained in the host system's memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2250464, 2279329    
Bug Blocks: 2250459    

Description Nick Tait 2023-11-18 18:52:11 UTC 
Reserved fields in guest message responses may not be zero initialized.
The size of(snp_msg_cpuid_rsp_t) bytes are zero initialized, but ReqHdr->msg_size is sent out for the request. If a guest sets ReqHdr->msg_size to a higher value than sizeof(snp_msg_cpuid_rsp_t),
the firmware may leak stale memory from gpSevScratchBuf+(PAGE_SIZE_4K*3). The stale data leaked to software may contain guest private data or SEV firmware sensitive data.
Comment 8 Alex 2024-05-06 14:46:13 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2279329]
Comment 12 errata-xmlrpc 2024-07-02 15:26:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4262 https://access.redhat.com/errata/RHSA-2024:4262
Comment 13 errata-xmlrpc 2024-07-09 08:48:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:4409 https://access.redhat.com/errata/RHSA-2024:4409
Comment 14 errata-xmlrpc 2024-07-23 14:54:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:4733 https://access.redhat.com/errata/RHSA-2024:4733
Comment 15 errata-xmlrpc 2024-07-23 15:27:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:4741 https://access.redhat.com/errata/RHSA-2024:4741
Comment 16 errata-xmlrpc 2024-07-23 16:23:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4774 https://access.redhat.com/errata/RHSA-2024:4774
Comment 17 errata-xmlrpc 2024-08-20 16:08:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5640 https://access.redhat.com/errata/RHSA-2024:5640
Comment 18 errata-xmlrpc 2024-08-27 07:37:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:5883 https://access.redhat.com/errata/RHSA-2024:5883