Bug 2270836 (AMD-SN-3008, CVE-2024-25742, CVE-2024-25743) - CVE-2024-25742 CVE-2024-25743 hw: amd: Instruction raise #VC exception at exit
Summary: CVE-2024-25742 CVE-2024-25743 hw: amd: Instruction raise #VC exception at exit
Keywords:
Status: NEW
Alias: AMD-SN-3008, CVE-2024-25742, CVE-2024-25743
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2270838
TreeView+ depends on / blocked
 
Reported: 2024-03-21 19:05 UTC by Rohit Keshri
Modified: 2024-05-16 08:58 UTC (History)
56 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in AMD SEV-SNP, where a malicious hypervisor can potentially break confidentiality and integrity of SEV-SNP on Linux guests by injecting interrupts. An attacker can inject interrupt 0x80, which is used by Linux for legacy 32-bit system calls, and arbitrarily change the value stored in EAX while a SEV VM is running.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2878 0 None None None 2024-05-16 08:57:52 UTC
Red Hat Product Errata RHBA-2024:2879 0 None None None 2024-05-16 08:58:21 UTC
Red Hat Product Errata RHSA-2024:2627 0 None None None 2024-05-01 00:32:26 UTC
Red Hat Product Errata RHSA-2024:2628 0 None None None 2024-05-01 00:16:56 UTC
Red Hat Product Errata RHSA-2024:2758 0 None None None 2024-05-08 00:47:09 UTC

Description Rohit Keshri 2024-03-21 19:05:11 UTC 
A vulnerability was found in AMD SEV-SNP (named "WeSee"), in this flaw, the hypervisor can inject a malicious #VC into a CPU that is executing a SEV-SNP VM at any time. Specifically, the hypervisor has the ability to inject external interrupts to the CPUs, including #VC which is yet another exception. 

It is seen that SEV-SNP invokes the #VC exception handler in the VM without checking the authenticity of the root cause. Specifically, the VC handler does not check if the VM indeed executed an instruction that would legitimately cause the CPU to generate a #VC exception.

The VC handler performs sensitive operations of copying data between the VM and the hypervisor to emulate the semantics of the instruction that generated the #VC. The handler is programmed to be bug-free and has checks to defend against Iago attacks, i.e., it clears all registers and performs checks on the data values provided by the hypervisor before it uses them as per AMD specifications [14]. However, it is not programmed to defend against #VC that is maliciously injected by the hypervisor. Worse yet, each malicious #VC injection tricks the handler into emulating an instruction that either writes attacker-controlled data to the VM or leaks sensitive VM data to the hypervisor.  

References:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=f35e46631b28a63ca3887d7afef1a65a5544da52
https://arxiv.org/html/2404.03526v1
Comment 9 errata-xmlrpc 2024-05-01 00:16:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2628 https://access.redhat.com/errata/RHSA-2024:2628
Comment 10 errata-xmlrpc 2024-05-01 00:32:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2627 https://access.redhat.com/errata/RHSA-2024:2627
Comment 11 errata-xmlrpc 2024-05-08 00:47:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2758 https://access.redhat.com/errata/RHSA-2024:2758
Note You need to log in before you can comment on or make changes to this bug.