lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1507809589-12786-1-git-send-email-pbonzini@redhat.com>
Date:   Thu, 12 Oct 2017 13:59:47 +0200
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     linux-kernel@...r.kernel.org, kvm@...r.kernel.org
Subject: [PATCH 0/2] KVM: nVMX: fix out-of-bounds access (CVE-2017-12188)

Due to a combination of a bug in nEPT (patch 1), and a broken safety
net elsewhere in the MMU code (patch 2), a malicious guest could use
nested EPT to overwrite kernel memory.  In particular, the arrays in
struct guest_walker could be accessed with index -1 and the "level" and
"max_level" fields overwritten:

struct guest_walker {
        int level;
        unsigned max_level;
        gfn_t table_gfn[PT_MAX_FULL_LEVELS];
	...
}

Because the level field is used as an index into array, it is at least
possible to overwrite the kernel stack and this should be treated as a
possible guest-to-host escape on Intel hosts with nested virtualization
enabled.

While the incorrect code in patch 1 is present since Linux 3.12, the
bug only affects Linux kernels 4.6 and newer.  Therefore, stable kernels
only need to apply the second patch, which has the advantage of applying
more cleanly.

The bug was discovered by Ladislav (Ladi) Prosek from Red Hat.

Thanks,

Paolo

Ladi Prosek (2):
  KVM: nVMX: update last_nonleaf_level when initializing nested EPT
  KVM: MMU: always terminate page walks at level 1

 arch/x86/kvm/mmu.c         | 15 ++++++++-------
 arch/x86/kvm/paging_tmpl.h |  3 ++-
 2 files changed, 10 insertions(+), 8 deletions(-)

-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ