Bug 1671930 (CVE-2019-7222) - CVE-2019-7222 Kernel: KVM: leak of uninitialized stack contents to guest
Summary: CVE-2019-7222 Kernel: KVM: leak of uninitialized stack contents to guest
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-7222
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1671931 1671932 1673686 1673845 1673846
Blocks: 1671898
TreeView+ depends on / blocked
 
Reported: 2019-02-02 07:08 UTC by Prasad Pandit
Modified: 2023-05-12 21:13 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information leakage issue was found in the way Linux kernel's KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a mmio address, as the returned exception object holds uninitialized stack memory contents. A guest user/process could use this flaw to leak host's stack memory contents to a guest.
Clone Of:
Environment:
Last Closed: 2019-08-06 13:21:43 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2029 0 None None None 2019-08-06 12:04:38 UTC
Red Hat Product Errata RHSA-2019:2043 0 None None None 2019-08-06 12:07:04 UTC
Red Hat Product Errata RHSA-2019:3309 0 None None None 2019-11-05 20:35:15 UTC
Red Hat Product Errata RHSA-2019:3517 0 None None None 2019-11-05 21:05:58 UTC

Description Prasad Pandit 2019-02-02 07:08:31 UTC 
An information leakage issue was found in the way Linux kernel's KVM hypervisor
handled page fault exception while emulating instructions like VMXON, VMCLEAR,
VMPTRLD, VMWRITE with memory address as an operand. It occurs if the operand is
an mmio address, as the returned exception object holds uninitialised stack memory
contents.

A guest user/process could use this flaw to leak host's stack memory contents
to a guest.

It affects only Intel processors and only when nested virtualization is
enabled.

Upstream patch:
---------------
  -> https://git.kernel.org/linus/353c0956a618a07ba4bbe7ad00ff29fe70e8412a

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2019/02/18/2
Comment 2 Prasad Pandit 2019-02-06 07:12:05 UTC 
Acknowledgments:

Name: Felix Wilhelm (Google)
Comment 4 Prasad Pandit 2019-02-07 19:01:15 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1673686]
Comment 6 Eric Christensen 2019-02-08 15:20:07 UTC 
Statement:

This issue does not affect the version of the kernel package as shipped with Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG 2.

This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 7. Future kernel updates for Red Hat Enterprise Linux 7 may address this issue.

Note:- Impact on Red Hat Enterprise Linux 7 kernel is limited, as it requires that nested virtualization feature is enabled on a system. Nested Virtualization feature is available only as - Technology Preview.
Comment 7 errata-xmlrpc 2019-08-06 12:04:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029
Comment 8 errata-xmlrpc 2019-08-06 12:07:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043
Comment 9 Product Security DevOps Team 2019-08-06 13:21:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-7222
Comment 11 errata-xmlrpc 2019-11-05 20:35:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309
Comment 12 errata-xmlrpc 2019-11-05 21:05:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517
Note You need to log in before you can comment on or make changes to this bug.