Bug 1144835 (CVE-2014-3645) - CVE-2014-3645 kernel: kvm: vmx: invept vm exit not handled
Summary: CVE-2014-3645 kernel: kvm: vmx: invept vm exit not handled
Status: CLOSED ERRATA
Alias: CVE-2014-3645
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20141021,repor...
Keywords: Security
Depends On: 1116936 1144837 1144838 1145449 1152986 1173147
Blocks: 1144830
TreeView+ depends on / blocked
 
Reported: 2014-09-21 12:32 UTC by Petr Matousek
Modified: 2019-06-08 20:11 UTC (History)
35 users (show)

(edit)
It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) instructions. On hosts with an Intel processor and invept VM exit support, an unprivileged guest user could use these instructions to crash the guest.
Clone Of:
(edit)
Last Closed: 2015-04-22 11:05:48 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1724 normal SHIPPED_LIVE Important: kernel security and bug fix update 2014-10-29 01:33:03 UTC
Red Hat Product Errata RHSA-2014:1843 normal SHIPPED_LIVE Important: kernel security and bug fix update 2014-11-11 20:34:11 UTC
Red Hat Product Errata RHSA-2015:0126 normal SHIPPED_LIVE Critical: rhev-hypervisor6 security update 2015-02-04 22:52:31 UTC
Red Hat Product Errata RHSA-2015:0284 normal SHIPPED_LIVE Important: kernel security and bug fix update 2015-03-03 17:49:58 UTC

Description Petr Matousek 2014-09-21 12:32:49 UTC
On systems with invept instruction support (corresponding bit in
IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invept
causes vm exit, which is currently not handled and causes unknown
exit error to be propagated to userspace.

A local unprivileged guest user could use this flaw to crash the
guest.

Upstream fix:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bfd0a56b90005f8c8a004baf407ad90045c2b11e

Acknowledgements:

Red Hat would like to thank the Advanced Threat Research team at Intel Security for reporting this issue.

Comment 5 Petr Matousek 2014-10-15 10:37:58 UTC
Statement:

This issue does affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6 and 7. Future updates may address this issue in the
respective Red Hat Enterprise Linux releases.


This issue does affect the kvm packages as shipped with Red Hat Enterprise Linux 5.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 6 errata-xmlrpc 2014-10-28 21:34:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1724 https://rhn.redhat.com/errata/RHSA-2014-1724.html

Comment 7 Martin Prpič 2014-10-29 12:39:18 UTC
IssueDescription:

It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) instructions. On hosts with an Intel processor and invept VM exit support, an unprivileged guest user could use these instructions to crash the guest.

Comment 8 errata-xmlrpc 2014-11-11 15:34:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1843 https://rhn.redhat.com/errata/RHSA-2014-1843.html

Comment 10 errata-xmlrpc 2015-02-04 17:52:55 UTC
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2015:0126 https://rhn.redhat.com/errata/RHSA-2015-0126.html

Comment 11 errata-xmlrpc 2015-03-03 12:50:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only

Via RHSA-2015:0284 https://rhn.redhat.com/errata/RHSA-2015-0284.html


Note You need to log in before you can comment on or make changes to this bug.