Bug 2270836 (AMD-SN-3008, CVE-2024-25742, CVE-2024-25743)

Summary: CVE-2024-25742 CVE-2024-25743 hw: amd: Instruction raise #VC exception at exit
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, ahanwate, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, sct, scweaver, security-response-team, sidakwo, sukulkar, tglozar, tyberry, vkumar, vkuznets, wcosta, williams, wmealing, wshi, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in AMD SEV-SNP, where a malicious hypervisor can potentially break confidentiality and integrity of SEV-SNP on Linux guests by injecting interrupts. An attacker can inject interrupt 0x80, which is used by Linux for legacy 32-bit system calls, and arbitrarily change the value stored in EAX while a SEV VM is running.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2270838    

Description Rohit Keshri 2024-03-21 19:05:11 UTC 
A vulnerability was found in AMD SEV-SNP (named "WeSee"), in this flaw, the hypervisor can inject a malicious #VC into a CPU that is executing a SEV-SNP VM at any time. Specifically, the hypervisor has the ability to inject external interrupts to the CPUs, including #VC which is yet another exception. 

It is seen that SEV-SNP invokes the #VC exception handler in the VM without checking the authenticity of the root cause. Specifically, the VC handler does not check if the VM indeed executed an instruction that would legitimately cause the CPU to generate a #VC exception.

The VC handler performs sensitive operations of copying data between the VM and the hypervisor to emulate the semantics of the instruction that generated the #VC. The handler is programmed to be bug-free and has checks to defend against Iago attacks, i.e., it clears all registers and performs checks on the data values provided by the hypervisor before it uses them as per AMD specifications [14]. However, it is not programmed to defend against #VC that is maliciously injected by the hypervisor. Worse yet, each malicious #VC injection tricks the handler into emulating an instruction that either writes attacker-controlled data to the VM or leaks sensitive VM data to the hypervisor.  

References:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=f35e46631b28a63ca3887d7afef1a65a5544da52
https://arxiv.org/html/2404.03526v1
Comment 9 errata-xmlrpc 2024-05-01 00:16:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2628 https://access.redhat.com/errata/RHSA-2024:2628
Comment 10 errata-xmlrpc 2024-05-01 00:32:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2627 https://access.redhat.com/errata/RHSA-2024:2627
Comment 11 errata-xmlrpc 2024-05-08 00:47:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2758 https://access.redhat.com/errata/RHSA-2024:2758
Comment 12 errata-xmlrpc 2024-05-22 09:13:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950
Comment 13 errata-xmlrpc 2024-05-22 09:53:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138
Comment 14 errata-xmlrpc 2024-05-28 14:07:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3421 https://access.redhat.com/errata/RHSA-2024:3421
Comment 15 errata-xmlrpc 2024-06-11 17:27:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3810 https://access.redhat.com/errata/RHSA-2024:3810