A vulnerability was found in AMD SEV-SNP (named "WeSee"), in this flaw, the hypervisor can inject a malicious #VC into a CPU that is executing a SEV-SNP VM at any time. Specifically, the hypervisor has the ability to inject external interrupts to the CPUs, including #VC which is yet another exception. It is seen that SEV-SNP invokes the #VC exception handler in the VM without checking the authenticity of the root cause. Specifically, the VC handler does not check if the VM indeed executed an instruction that would legitimately cause the CPU to generate a #VC exception. The VC handler performs sensitive operations of copying data between the VM and the hypervisor to emulate the semantics of the instruction that generated the #VC. The handler is programmed to be bug-free and has checks to defend against Iago attacks, i.e., it clears all registers and performs checks on the data values provided by the hypervisor before it uses them as per AMD specifications [14]. However, it is not programmed to defend against #VC that is maliciously injected by the hypervisor. Worse yet, each malicious #VC injection tricks the handler into emulating an instruction that either writes attacker-controlled data to the VM or leaks sensitive VM data to the hypervisor. References: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=f35e46631b28a63ca3887d7afef1a65a5544da52 https://arxiv.org/html/2404.03526v1
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:2628 https://access.redhat.com/errata/RHSA-2024:2628
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:2627 https://access.redhat.com/errata/RHSA-2024:2627
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2758 https://access.redhat.com/errata/RHSA-2024:2758
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:3421 https://access.redhat.com/errata/RHSA-2024:3421
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:3810 https://access.redhat.com/errata/RHSA-2024:3810