1144883 – (CVE-2014-3610) CVE-2014-3610 kernel: kvm: noncanonical MSR writes

Bug 1144883 (CVE-2014-3610) - CVE-2014-3610 kernel: kvm: noncanonical MSR writes

Summary: CVE-2014-3610 kernel: kvm: noncanonical MSR writes

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-3610
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Engineering1144884 Engineering1144885 Engineering1152982 Engineering1152983 1156543
Blocks:	Embargoed1144830
TreeView+	depends on / blocked

Reported:	2014-09-21 20:12 UTC by Petr Matousek
Modified:	2023-05-12 05:28 UTC (History)
CC List:	26 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that KVM's Write to Model Specific Register (WRMSR) instruction emulation would write non-canonical values passed in by the guest to certain MSRs in the host's context. A privileged guest user could use this flaw to crash the host.
Clone Of:
Environment:
Last Closed:	2015-04-22 11:05:10 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0869	0	normal	SHIPPED_LIVE	Important: kvm security update	2015-04-22 14:09:46 UTC

Description Petr Matousek 2014-09-21 20:12:19 UTC

If the guest writes a noncanonical value to certain MSR registers, KVM will
write that value to the MSR in the host context and a #GP will be raised
leading to kernel panic.

A privileged guest user can use this flaw to crash the host.

Enabling CONFIG_PARAVIRT when building the kernel mitigates this issue because wrmsrl() ends up invoking safe msr write variant.

Acknowledgements:

Red Hat would like to thank Lars Bull of Google and Nadav Amit for reporting
this issue.

Comment 5 Petr Matousek 2014-10-15 10:30:45 UTC

Statement:

This issue does not affect Linux kernel packages as shipped with Red Hat Enterprise Linux 6 and 7. Future kvm package updates for Red Hat Enterprise Linux 5 may address this issue.

Comment 6 Petr Matousek 2014-10-24 16:07:21 UTC

Upstream patches:

http://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=854e8bb1aa06c578c2c9145fa6bfe3680ef63b23
http://git.kernel.org/cgit/virt/kvm/kvm.git/commit/?id=8b3c3104c3f4f706e99365c3e0d2aa61b95f969f

Comment 7 Petr Matousek 2014-10-24 16:09:38 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1156543]

Comment 8 Fedora Update System 2014-10-28 06:44:38 UTC

kernel-3.16.6-203.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-11-03 05:22:37 UTC

kernel-3.17.2-300.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2014-11-16 14:46:13 UTC

kernel-3.14.23-100.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 errata-xmlrpc 2015-04-22 10:10:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:0869 https://rhn.redhat.com/errata/RHSA-2015-0869.html

Note You need to log in before you can comment on or make changes to this bug.

agordeev
aquini
areis
carnil
dhoward
drjones
ehabkost
fhrbata
juzhang
kernel-mgr
knoel
lwang
mkenneth
mrezanin
mst
mtosatti
nmurray
pbonzini
pholasek
plougher
pmatouse
rkrcmar
rvrbovsk
security-response-team
shu
stefanha