Bug 1995153 (CVE-2021-29657) - CVE-2021-29657 kernel: KVM: double fetch in nested_svm_vmrun can lead to unrestricted MSR access
Summary: CVE-2021-29657 kernel: KVM: double fetch in nested_svm_vmrun can lead to unre...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-29657
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1945742 1997736 1997737
Blocks: 1995155
TreeView+ depends on / blocked
 
Reported: 2021-08-18 14:28 UTC by Pedro Sampaio
Modified: 2021-12-15 11:28 UTC (History)
43 users (show)

Fixed In Version: kernel 5.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A KVM guest on AMD can launch a nested guest without the Intercept VMRUN control bit by exploiting a TOCTOU vulnerability in nested_svm_vmrun. A malicious guest could use this flaw to gain unrestricted access to host MSRs, possibly leading to guest-to-host escape scenario.
Clone Of:
Environment:
Last Closed: 2021-12-15 11:28:40 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-08-18 14:28:43 UTC
A KVM guest on AMD can launch a L2 guest without the Intercept VMRUN control bit by exploiting a TOCTOU vulnerability in nested_svm_vmrun. Executing VMRUN from the L2 guest, will then trigger a second call to nested_svm_vmrun and corrupt svm->nested.hsave with data copied out of the L2 vmcb. For kernel versions that include the commit "2fcf4876: KVM: nSVM: implement on demand allocation of the nested state" (>=5.10), the guest can free the MSR permission bit in svm->nested.msrpm, while it's still in use and gain unrestricted access to host MSRs.

Upstream fix:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a58d9166a756a0f4a6618e4f593232593d6df134

Reference:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2177

Comment 4 juneau 2021-08-26 13:40:50 UTC
Setting Hosted OCP 'notaffected' as KVM is not employed in this environment.


Note You need to log in before you can comment on or make changes to this bug.