Bug 1277172 (CVE-2015-5307, XSA-156) - CVE-2015-5307 virt: guest to host DoS by triggering an infinite loop in microcode via #AC exception
Summary: CVE-2015-5307 virt: guest to host DoS by triggering an infinite loop in micro...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5307, XSA-156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1277557 1277559 1277560 1277561 1277563 1277564 1277565 1277566 1277567 1279688 1279689
Blocks: 1277175
TreeView+ depends on / blocked
 
Reported: 2015-11-02 14:50 UTC by Martin Prpič
Modified: 2019-09-29 13:39 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the x86 ISA (Instruction Set Architecture) is prone to a denial of service attack inside a virtualized environment in the form of an infinite loop in the microcode due to the way (sequential) delivering of benign exceptions such as #AC (alignment check exception) is handled. A privileged user inside a guest could use this flaw to create denial of service conditions on the host kernel.
Clone Of:
Environment:
Last Closed: 2016-01-07 14:27:41 UTC


Attachments (Terms of Use)
CVE-2015-5307 proposed patch (1.61 KB, text/plain)
2015-11-02 14:52 UTC, Martin Prpič
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2552 normal SHIPPED_LIVE Important: kernel security and bug fix update 2015-12-08 15:51:34 UTC
Red Hat Product Errata RHSA-2015:2587 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2015-12-09 14:44:50 UTC
Red Hat Product Errata RHSA-2015:2636 normal SHIPPED_LIVE Important: kernel security and bug fix update 2015-12-15 18:57:46 UTC
Red Hat Product Errata RHSA-2015:2645 normal SHIPPED_LIVE Important: kernel security and bug fix update 2015-12-15 19:36:40 UTC
Red Hat Product Errata RHSA-2016:0004 normal SHIPPED_LIVE Important: kernel security update 2016-01-07 18:52:46 UTC
Red Hat Product Errata RHSA-2016:0024 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-01-12 19:48:34 UTC
Red Hat Product Errata RHSA-2016:0046 normal SHIPPED_LIVE Important: kernel security update 2016-01-19 17:51:29 UTC

Description Martin Prpič 2015-11-02 14:50:51 UTC
It was found that a guest can DoS a host by triggering an infinite loop in microcode. If a guest in 32-bit mode enabled alignment exceptions, puts the exception handler in ring 3, and then triggers an alignment exception with an unaligned stack, then the microcode will enter an infinite loop. Because there's no instruction boundary the core never receives another interrupt (including SMIs). The host kernel panics pretty quickly due to the effects.

A privileged user inside guest could use this flaw to crash the host kernel
resulting in DoS.

Upstream KVM patch:
-------------------
  -> http://permalink.gmane.org/gmane.linux.kernel/2082329

References:
-----------
  -> http://www.openwall.com/lists/oss-security/2015/11/10/1

Comment 1 Martin Prpič 2015-11-02 14:52:18 UTC
Created attachment 1088606 [details]
CVE-2015-5307 proposed patch

Comment 6 Prasad J Pandit 2015-11-09 13:15:29 UTC
Acknowledgements:

Red Hat would like to thank Ben Serebrin of Google Inc. for reporting this issue.

Comment 7 Prasad J Pandit 2015-11-09 13:21:43 UTC
Statement:

This issue affects the version of the kvm and xen packages as shipped with Red Hat Enterprise Linux 5.

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2.

This issue affects the version of Linux kernel as shipped with Red Hat Enterprise Linux 6 and 7. Future kernel updates for the respective releases may address this issue.

Red Hat Enterprise Linux 5 is now in Production Phase 3 of the support and maintenance life cycle. Thus it is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 8 Prasad J Pandit 2015-11-10 03:27:36 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1279688]

Comment 9 Prasad J Pandit 2015-11-10 03:27:58 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1279689]

Comment 10 Mohammed Gamal 2015-11-10 10:15:44 UTC
I noticed that the proposed patch only fixes Intel VMX code. Are AMD hosts also affected by this vulnerability?

Comment 11 Petr Matousek 2015-11-10 10:32:40 UTC
(In reply to Mohammed Gamal from comment #10)
> I noticed that the proposed patch only fixes Intel VMX code. Are AMD hosts
> also affected by this vulnerability?

Both Intel and AMD processors running KVM hosts are affected by this vulnerability. The final patch that will be included in Red Hat Enterprise Linux updates fixes both VMX and SVM code.

Comment 16 Fedora Update System 2015-11-19 09:55:06 UTC
kernel-4.2.6-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2015-11-19 12:20:13 UTC
kernel-4.2.6-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2015-11-20 23:21:41 UTC
kernel-4.1.13-100.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2015-11-20 23:22:54 UTC
xen-4.4.3-8.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2015-11-21 16:51:24 UTC
xen-4.5.2-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2015-11-23 00:24:10 UTC
xen-4.5.2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 errata-xmlrpc 2015-12-08 10:52:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2552 https://rhn.redhat.com/errata/RHSA-2015-2552.html

Comment 23 errata-xmlrpc 2015-12-09 09:49:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 7.1 EUS  - Server and Compute Node Only

Via RHSA-2015:2587 https://rhn.redhat.com/errata/RHSA-2015-2587.html

Comment 24 errata-xmlrpc 2015-12-15 14:00:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2636 https://rhn.redhat.com/errata/RHSA-2015-2636.html

Comment 25 errata-xmlrpc 2015-12-15 14:37:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 AUS - Server Only

Via RHSA-2015:2645 https://rhn.redhat.com/errata/RHSA-2015-2645.html

Comment 26 errata-xmlrpc 2016-01-07 13:53:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 AUS - Server Only

Via RHSA-2016:0004 https://rhn.redhat.com/errata/RHSA-2016-0004.html

Comment 27 errata-xmlrpc 2016-01-12 14:50:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 EUS - Server and Compute Node Only

Via RHSA-2016:0024 https://rhn.redhat.com/errata/RHSA-2016-0024.html

Comment 28 errata-xmlrpc 2016-01-19 12:52:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 AUS

Via RHSA-2016:0046 https://rhn.redhat.com/errata/RHSA-2016-0046.html


Note You need to log in before you can comment on or make changes to this bug.