Bug 1836244 (CVE-2020-12888) - CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some devices may lead to DoS scenario
Summary: CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some devices ma...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-12888
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1820632 1836245 1837291 1837292 1837293 1837294 1837295 1837297 1837298 1837299 1837300 1837301 1837302 1837303 1837304 1837305 1837306 1837307 1837308 1837309 1837310 1837311 1837312 1837313 1837314
Blocks: 1827369
TreeView+ depends on / blocked
 
Reported: 2020-05-15 13:13 UTC by Prasad Pandit
Modified: 2021-02-16 20:02 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, where it allows userspace processes, for example, a guest VM, to directly access h/w devices via its VFIO driver modules. The VFIO modules allow users to enable or disable access to the devices' MMIO memory address spaces. If a user attempts to access the read/write devices' MMIO address space when it is disabled, some h/w devices issue an interrupt to the CPU to indicate a fatal error condition, crashing the system. This flaw allows a guest user or process to crash the host system resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2020-06-23 17:20:29 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2712 0 None None None 2020-06-23 20:18:39 UTC
Red Hat Product Errata RHBA-2020:2974 0 None None None 2020-07-16 12:28:49 UTC
Red Hat Product Errata RHBA-2020:2975 0 None None None 2020-07-16 12:29:20 UTC
Red Hat Product Errata RHBA-2020:2976 0 None None None 2020-07-16 12:31:50 UTC
Red Hat Product Errata RHBA-2020:3086 0 None None None 2020-07-22 01:04:34 UTC
Red Hat Product Errata RHSA-2020:2664 0 None None None 2020-06-23 12:25:49 UTC
Red Hat Product Errata RHSA-2020:2665 0 None None None 2020-06-23 12:26:14 UTC
Red Hat Product Errata RHSA-2020:2831 0 None None None 2020-07-07 08:27:57 UTC
Red Hat Product Errata RHSA-2020:2832 0 None None None 2020-07-07 08:37:07 UTC
Red Hat Product Errata RHSA-2020:2851 0 None None None 2020-07-07 09:52:19 UTC
Red Hat Product Errata RHSA-2020:2854 0 None None None 2020-07-07 13:19:08 UTC
Red Hat Product Errata RHSA-2020:3010 0 None None None 2020-07-21 11:05:28 UTC
Red Hat Product Errata RHSA-2020:3016 0 None None None 2020-07-21 11:23:35 UTC
Red Hat Product Errata RHSA-2020:3019 0 None None None 2020-07-21 13:41:20 UTC
Red Hat Product Errata RHSA-2020:3041 0 None None None 2020-07-21 14:32:30 UTC
Red Hat Product Errata RHSA-2020:3222 0 None None None 2020-07-29 19:37:28 UTC
Red Hat Product Errata RHSA-2020:3230 0 None None None 2020-07-29 21:40:46 UTC

Description Prasad Pandit 2020-05-15 13:13:38 UTC 
Linux kernel allows user space processes (like guest VM) to directly access h/w devices via its VFIO driver modules. The VFIO modules allow users to enable or disable access to the devices' MMIO memory address spaces. If a user attempts to access(r/w) devices' MMIO address space, when it is disabled, some h/w devices issue an interrupt to the CPU to indicate a fatal error condition, essentially crashing down the system. A guest user/process may use this flaw to crash the host system resulting in DoS scenario.

Upstream patches:
-----------------
  -> https://lore.kernel.org/kvm/158871570274.15589.10563806532874116326.stgit@gimli.home/
  -> https://lore.kernel.org/kvm/158871401328.15589.17598154478222071285.stgit@gimli.home/

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/05/19/6
Comment 1 Prasad Pandit 2020-05-15 13:14:11 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1836245]
Comment 3 RaTasha Tillery-Smith 2020-05-18 15:27:06 UTC 
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
This issue affects the versions of the kernel package as shipped with Red Hat Enterprise Linux 7 and 8. Future kernel updates for Red Hat Enterprise Linux 7 and 8 may address this issue.
Comment 9 errata-xmlrpc 2020-06-23 12:25:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2664 https://access.redhat.com/errata/RHSA-2020:2664
Comment 10 errata-xmlrpc 2020-06-23 12:26:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2665 https://access.redhat.com/errata/RHSA-2020:2665
Comment 11 Product Security DevOps Team 2020-06-23 17:20:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12888
Comment 12 errata-xmlrpc 2020-07-07 08:27:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:2831 https://access.redhat.com/errata/RHSA-2020:2831
Comment 13 errata-xmlrpc 2020-07-07 08:37:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:2832 https://access.redhat.com/errata/RHSA-2020:2832
Comment 14 errata-xmlrpc 2020-07-07 09:52:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2851 https://access.redhat.com/errata/RHSA-2020:2851
Comment 15 errata-xmlrpc 2020-07-07 13:19:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2854 https://access.redhat.com/errata/RHSA-2020:2854
Comment 17 errata-xmlrpc 2020-07-21 11:05:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3010 https://access.redhat.com/errata/RHSA-2020:3010
Comment 18 errata-xmlrpc 2020-07-21 11:23:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3016 https://access.redhat.com/errata/RHSA-2020:3016
Comment 19 errata-xmlrpc 2020-07-21 13:41:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3019 https://access.redhat.com/errata/RHSA-2020:3019
Comment 20 errata-xmlrpc 2020-07-21 14:32:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3041 https://access.redhat.com/errata/RHSA-2020:3041
Comment 22 errata-xmlrpc 2020-07-29 19:37:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3222 https://access.redhat.com/errata/RHSA-2020:3222
Comment 23 errata-xmlrpc 2020-07-29 21:40:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3230 https://access.redhat.com/errata/RHSA-2020:3230
Note You need to log in before you can comment on or make changes to this bug.