Bug 1947982 (CVE-2020-36310) - CVE-2020-36310 kernel: infinite loop in set_memory_region_test in arch/x86/kvm/svm/svm.c for certain nested page faults
Summary: CVE-2020-36310 kernel: infinite loop in set_memory_region_test in arch/x86/kv...
Alias: CVE-2020-36310
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1947983
Blocks: 1947984
TreeView+ depends on / blocked
Reported: 2021-04-09 16:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-07-08 06:23 UTC (History)
44 users (show)

Fixed In Version: linux-kernel 5.9
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A nested page fault is created when an address does not have a memslot associated to it. The highest threat from this vulnerability is to system availability. This flaw can be triggered using a malformed Virtual Machine. When triggered this bug will lead to the user-space component of KVM to freeze.
Clone Of:
Last Closed: 2021-07-01 10:56:01 UTC

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-04-09 16:53:36 UTC
An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults.

Reference and upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-04-09 16:54:28 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1947983]

Comment 2 Justin M. Forbes 2021-04-12 21:18:21 UTC
This was fixed for Fedora with the 5.8 kernel rebases.

Comment 3 Jan Werner 2021-05-04 11:39:01 UTC
From Paolo Bonzini:
On 30/04/21 20:32, Jan Werner wrote:
> So to trigger this flaw one would have to run a nested Virtual Machine,
> and attempt to execute the code from an instruction pointer that does
> not have a memslost assigned to that memory location?
> If that's the case, what conditions need to occur for that to happen?

You don't need a nested virtual machine.  This is a "nested page fault",
ie. a guest-to-hypervisor page fault.  You just need to run the KVM
selftests to reproduce the bug.

> I saw the discussion here:
> http://lkml.iu.edu/hypermail/linux/kernel/2004.2/03025.html
> <http://lkml.iu.edu/hypermail/linux/kernel/2004.2/03025.html>
> And I believe that I understand the conditions observed in the testing.
> Can you help me understand how those conditions can be reproduced in the
> production?

The bug would happen when the VM executes from a non-existing address;
in production it would only happen with a buggy VM.  Instead of exiting
immediately with an error, it would retry forever (but it's
interruptible with Ctrl-C, i.e. not a serious issue).  Who decided to
give this bug a CVE, and can it be retracted?  This is just a bug with
no security consequences.

Note You need to log in before you can comment on or make changes to this bug.