Reserved fields in guest message responses may not be zero initialized. The size of(snp_msg_cpuid_rsp_t) bytes are zero initialized, but ReqHdr->msg_size is sent out for the request. If a guest sets ReqHdr->msg_size to a higher value than sizeof(snp_msg_cpuid_rsp_t), the firmware may leak stale memory from gpSevScratchBuf+(PAGE_SIZE_4K*3). The stale data leaked to software may contain guest private data or SEV firmware sensitive data.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2279329]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:4262 https://access.redhat.com/errata/RHSA-2024:4262
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:4409 https://access.redhat.com/errata/RHSA-2024:4409
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:4733 https://access.redhat.com/errata/RHSA-2024:4733
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:4741 https://access.redhat.com/errata/RHSA-2024:4741
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:4774 https://access.redhat.com/errata/RHSA-2024:4774
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:5640 https://access.redhat.com/errata/RHSA-2024:5640
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2024:5883 https://access.redhat.com/errata/RHSA-2024:5883