Bug 1277172 - (CVE-2015-5307, XSA-156) CVE-2015-5307 virt: guest to host DoS by triggering an infinite loop in microcode via #AC exception
CVE-2015-5307 virt: guest to host DoS by triggering an infinite loop in micro...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20151110,repo...
: Security
Depends On: 1277557 1277559 1277560 1277561 1277563 1277564 1277565 1277566 1277567 1279688 1279689
Blocks: 1277175
  Show dependency treegraph
 
Reported: 2015-11-02 09:50 EST by Martin Prpič
Modified: 2016-04-26 16:46 EDT (History)
48 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) is handled. A privileged user inside a guest could use this flaw to create denial of service conditions on the host kernel.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-07 09:27:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
CVE-2015-5307 proposed patch (1.61 KB, text/plain)
2015-11-02 09:52 EST, Martin Prpič
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2552 normal SHIPPED_LIVE Important: kernel security and bug fix update 2015-12-08 10:51:34 EST
Red Hat Product Errata RHSA-2015:2587 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2015-12-09 09:44:50 EST
Red Hat Product Errata RHSA-2015:2636 normal SHIPPED_LIVE Important: kernel security and bug fix update 2015-12-15 13:57:46 EST
Red Hat Product Errata RHSA-2015:2645 normal SHIPPED_LIVE Important: kernel security and bug fix update 2015-12-15 14:36:40 EST
Red Hat Product Errata RHSA-2016:0004 normal SHIPPED_LIVE Important: kernel security update 2016-01-07 13:52:46 EST
Red Hat Product Errata RHSA-2016:0024 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-01-12 14:48:34 EST
Red Hat Product Errata RHSA-2016:0046 normal SHIPPED_LIVE Important: kernel security update 2016-01-19 12:51:29 EST

  None (edit)
Description Martin Prpič 2015-11-02 09:50:51 EST
It was found that a guest can DoS a host by triggering an infinite loop in microcode. If a guest in 32-bit mode enabled alignment exceptions, puts the exception handler in ring 3, and then triggers an alignment exception with an unaligned stack, then the microcode will enter an infinite loop. Because there's no instruction boundary the core never receives another interrupt (including SMIs). The host kernel panics pretty quickly due to the effects.

A privileged user inside guest could use this flaw to crash the host kernel
resulting in DoS.

Upstream KVM patch:
-------------------
  -> http://permalink.gmane.org/gmane.linux.kernel/2082329

References:
-----------
  -> http://www.openwall.com/lists/oss-security/2015/11/10/1
Comment 1 Martin Prpič 2015-11-02 09:52 EST
Created attachment 1088606 [details]
CVE-2015-5307 proposed patch
Comment 6 Prasad J Pandit 2015-11-09 08:15:29 EST
Acknowledgements:

Red Hat would like to thank Ben Serebrin of Google Inc. for reporting this issue.
Comment 7 Prasad J Pandit 2015-11-09 08:21:43 EST
Statement:

This issue affects the version of the kvm and xen packages as shipped with Red Hat Enterprise Linux 5.

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.

This issue affects the version of Linux kernel as shipped with Red Hat Enterprise Linux 6 and 7. Future kernel updates for the respective releases may address this issue.

Red Hat Enterprise Linux 5 is now in Production Phase 3 of the support and maintenance life cycle. Thus it is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 8 Prasad J Pandit 2015-11-09 22:27:36 EST
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1279688]
Comment 9 Prasad J Pandit 2015-11-09 22:27:58 EST
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1279689]
Comment 10 Mohammed Gamal 2015-11-10 05:15:44 EST
I noticed that the proposed patch only fixes Intel VMX code. Are AMD hosts also affected by this vulnerability?
Comment 11 Petr Matousek 2015-11-10 05:32:40 EST
(In reply to Mohammed Gamal from comment #10)
> I noticed that the proposed patch only fixes Intel VMX code. Are AMD hosts
> also affected by this vulnerability?

Both Intel and AMD processors running KVM hosts are affected by this vulnerability. The final patch that will be included in Red Hat Enterprise Linux updates fixes both VMX and SVM code.
Comment 16 Fedora Update System 2015-11-19 04:55:06 EST
kernel-4.2.6-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2015-11-19 07:20:13 EST
kernel-4.2.6-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2015-11-20 18:21:41 EST
kernel-4.1.13-100.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2015-11-20 18:22:54 EST
xen-4.4.3-8.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2015-11-21 11:51:24 EST
xen-4.5.2-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2015-11-22 19:24:10 EST
xen-4.5.2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 errata-xmlrpc 2015-12-08 05:52:20 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2552 https://rhn.redhat.com/errata/RHSA-2015-2552.html
Comment 23 errata-xmlrpc 2015-12-09 04:49:35 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 7.1 EUS  - Server and Compute Node Only

Via RHSA-2015:2587 https://rhn.redhat.com/errata/RHSA-2015-2587.html
Comment 24 errata-xmlrpc 2015-12-15 09:00:50 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2636 https://rhn.redhat.com/errata/RHSA-2015-2636.html
Comment 25 errata-xmlrpc 2015-12-15 09:37:20 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 AUS - Server Only

Via RHSA-2015:2645 https://rhn.redhat.com/errata/RHSA-2015-2645.html
Comment 26 errata-xmlrpc 2016-01-07 08:53:29 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 AUS - Server Only

Via RHSA-2016:0004 https://rhn.redhat.com/errata/RHSA-2016-0004.html
Comment 27 errata-xmlrpc 2016-01-12 09:50:54 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 EUS - Server and Compute Node Only

Via RHSA-2016:0024 https://rhn.redhat.com/errata/RHSA-2016-0024.html
Comment 28 errata-xmlrpc 2016-01-19 07:52:08 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 AUS

Via RHSA-2016:0046 https://rhn.redhat.com/errata/RHSA-2016-0046.html

Note You need to log in before you can comment on or make changes to this bug.