linux_3.13.0-*.*: nVMX: Check current_vmcs12 before accessing in handle_invept()

Bug #1678676 reported by minoura on 2017-04-02
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Unassigned
Trusty
High
Unassigned

Bug Description

KVM in linux 3.11 - 3.14 (including ubuntu 14.04 linux <= 3.13.0-113.160) has a
flaw in INVEPT emulation that could crash the host.

[ 1046.384746] BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
[ 1046.387386] IP: [<ffffffffa05b3ca3>] handle_invept+0x123/0x170 [kvm_intel]
[ 1046.389577] PGD 0
[ 1046.390273] Oops: 0000 [#1] SMP

(tested with Ubuntu 14.04 linux-image-3.13.0-113-generic)

The host KVM touches NULL pointer (vmx->nested.current_vmcs12) when a
(crafted or buggy) guest issues a single-context INVEPT instruction
*without* VMPTRLD like this:

 kvm_cpu_vmxon(phys_addr);
 ept_sync_context(0);

(requires nested EPT; full linux kernel module code attached)

This code is introduced in upstream commit bfd0a56b90005f8c8a004baf407ad90045c2b11e
(nEPT: Nested INVEPT) and removed in 4b855078601fc422dbac3059f2215e776f49780f
(KVM: nVMX: Don't advertise single context invalidation for invept).
Therefore there should be two ways to fix this.

a. pullup bfd0a56b90005f (and 45e11817d5703e)
b. check current_vmcs12 before accessing for minimal fix:

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index d9e567f..d785e9c 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6391,6 +6391,8 @@ static int handle_invept(struct kvm_vcpu *vcpu)

  switch (type) {
  case VMX_EPT_EXTENT_CONTEXT:
+ if (to_vmx(vcpu)->nested.current_vmptr == -1ull)
+ break;
   if ((operand.eptp & eptp_mask) !=
     (nested_ept_get_cr3(vcpu) & eptp_mask))
    break;

CVE References

Tyler Hicks (tyhicks) wrote :

Hello and thank you for the bug report!

I don't see an existing CVE assigned to this issue. CVE-2014-3645 affects a similar area of the kernel source but it has a different impact and is not the same issue.

We need a little bit of time to verify the report. Thank you for such a clear description.

Tyler Hicks (tyhicks) wrote :
Download full text (3.6 KiB)

I have verified the host kernel BUG using a 14.04 host and guest combination:

[11266.585362] BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
[11266.585396] IP: [<ffffffffa0321ca3>] handle_invept+0x123/0x170 [kvm_intel]
[11266.585430] PGD 0
[11266.585436] Oops: 0000 [#1] SMP
[11266.585452] Modules linked in: vhost_net vhost macvtap macvlan ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT xt_CHECKSUM iptable_mangle xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter ip_tables ebtable_nat ebtables x_tables kvm_intel snd_hda_intel snd_hda_codec snd_hwdep snd_pcm kvm snd_page_alloc crct10dif_pclmul snd_seq_midi crc32_pclmul snd_seq_midi_event ghash_clmulni_intel snd_rawmidi aesni_intel aes_x86_64 lrw gf128mul snd_seq glue_helper qxl ablk_helper cryptd snd_seq_device ttm snd_timer drm_kms_helper drm snd serio_raw rfcomm bnep bluetooth soundcore i2c_piix4 mac_hid parport_pc ppdev lp parport psmouse pata_acpi floppy [last unloaded: kvm_intel]
[11266.585506] CPU: 0 PID: 14128 Comm: qemu-system-x86 Not tainted 3.13.0-116-generic #163-Ubuntu
[11266.585509] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[11266.585511] task: ffff88001d1dc800 ti: ffff88003d544000 task.ti: ffff88003d544000
[11266.585513] RIP: 0010:[<ffffffffa0321ca3>] [<ffffffffa0321ca3>] handle_invept+0x123/0x170 [kvm_intel]
[11266.585523] RSP: 0018:ffff88003d545cb0 EFLAGS: 00010246
[11266.585525] RAX: 0000000000000000 RBX: ffff88003cd38000 RCX: 0000000000000000
[11266.585527] RDX: 0007fffffffff000 RSI: 00007f522360dd18 RDI: ffff88003d545cd8
[11266.585528] RBP: ffff88003d545cf0 R08: 0000000000000000 R09: 0000000000000010
[11266.585529] R10: 0000000000000000 R11: ffff88001f60da1e R12: 0000000000000001
[11266.585531] R13: 000000001061c100 R14: ffff88001d1dc800 R15: ffff88003cd38030
[11266.585533] FS: 00007f523085f700(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[11266.585535] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[11266.585536] CR2: 0000000000000070 CR3: 0000000036bb6000 CR4: 00000000001427f0
[11266.585545] Stack:
[11266.585547] ffff88001f60dd08 ffff88003d545cf0 ffffffffa031f7b6 0000000000000000
[11266.585550] 0000000000000000 ffff88003cd38000 0000000000000032 0000000000000000
[11266.585553] ffff88003d545d40 ffffffffa032347d ffffffffffffff10 ffffffff00000000
[11266.585556] Call Trace:
[11266.585571] [<ffffffffa031f7b6>] ? handle_vmon+0x106/0x160 [kvm_intel]
[11266.585577] [<ffffffffa032347d>] vmx_handle_exit+0xbd/0x8e0 [kvm_intel]
[11266.585677] [<ffffffffa02230e5>] vcpu_enter_guest+0x8b5/0xd80 [kvm]
[11266.585684] [<ffffffffa031f0b8>] ? vmx_deliver_posted_interrupt+0x38/0x90 [kvm_intel]
[11266.585702] [<ffffffffa0242165>] ? kvm_apic_local_deliver+0x65/0x70 [kvm]
[11266.585718] [<ffffffffa02275f8>] kvm_arch_vcpu_ioctl_run+0x1e8/0x460 [kvm]
[11266.585729] [<ffffffffa0210fe2>] kvm_vcpu_ioctl+0x2a2/0x600 [kvm]
[11266.585779] [<ffffffff810dcfd1>] ? futex_wake+0x1b1/0x1d0
[11266.585794] [<ffffffff811d5ad0>] do_vfs_ioctl+0x2e0/0x4c0
[11266.585797] [<ffffffff811d5d31>] SyS_ioctl+0x81/0xa0
[11266.585824] [<...

Read more...

Changed in linux (Ubuntu):
status: New → Confirmed
importance: Undecided → High
minoura (minoura-valinux) wrote :

Thanks for confirmation.

> I don't see an existing CVE assigned to this issue. CVE-2014-3645 affects a similar area of the kernel source but > it has a different impact and is not the same issue.

Yeah, probably we've found this problem for the first time (as long as I've searched through the git.kernel.org) and I have no idea about reporting it to some security authority (CERT/CC? or something??) by myself.

Tyler Hicks (tyhicks) wrote :

I can request the CVE and coordinate with other Linux distributions but I'd like the kernel team to verify the fix before I do that.

minoura (minoura-valinux) wrote :

That's what I expected. Thanks.

Tyler Hicks (tyhicks) wrote :

Hi minoura - I was able to verify that your proposed fix does prevent the NULL pointer exception. I had a question about the fix as I'm not very familiar with the code in vmx.c. Should we also check if to_vmx(vcpu)->nested.current_vmcs12 is NULL and, if so, break? I'm not clear if current_vmptr and current_vmcs12 are always guaranteed to have corresponding values.

Tyler Hicks (tyhicks) wrote :

It looks to me that both variables are updated in lock-step. Also, I see that nested_vmx_failValid() and nested_vmx_check_vmcs12() both only check current_vmptr so perhaps that is sufficient.

minoura (minoura-valinux) wrote :

Yeah, actually I copied it from the other parts in vmx.c, such as nested_vmx_check_vmcs12, called from handle_vmwrite and others.

Tyler Hicks (tyhicks) wrote :

Thanks!

I'm making this bug public since all the details and PoC are already public here:

  https://bugzilla.kernel.org/show_bug.cgi?id=195167

information type: Private Security → Public Security
Tyler Hicks (tyhicks) wrote :

I think the original bug description is incorrect about which kernel versions are affected. It looks to me like the flaw was introduced in 3.12:

$ git describe --contains bfd0a56b90005f8c8a004baf407ad90045c2b11e
v3.12-rc1~143^2~30

It was fixed in 3.16:

$ git describe --contains 4b855078601fc422dbac3059f2215e776f49780f
v3.16-rc4~21^2^2~33

3.12 through 3.15 are affected. In Ubuntu, only Ubuntu 14.04 is affected.

Tyler Hicks (tyhicks) on 2017-04-24
Changed in linux (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → High
Changed in linux (Ubuntu):
status: Confirmed → Invalid
Tyler Hicks (tyhicks) wrote :

This is CVE-2017-8106.

Changed in linux (Ubuntu Trusty):
status: Triaged → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
minoura (minoura-valinux) wrote :

Tested with linux-image-3.13.0-119-generic 3.13.0-119.166 and confirmed the problem disappeared. Thanks!

tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-119.166

---------------
linux (3.13.0-119.166) trusty; urgency=low

  * linux: 3.13.0-119.166 -proposed tracker (LP: #1687718)

  * CVE-2016-8645: Linux kernel mishandles socket buffer (skb) truncation
    (LP: #1687107)
    - rose: limit sk_filter trim to payload
    - tcp: take care of truncations done by sk_filter()

linux (3.13.0-118.165) trusty; urgency=low

  * linux: 3.13.0-118.165 -proposed tracker (LP: #1686154)

  * linux_3.13.0-*.*: nVMX: Check current_vmcs12 before accessing in
    handle_invept() (LP: #1678676)
    - SAUCE: KVM has a flaw in INVEPT emulation that could crash the host

  * Please backport fix to reference leak in cgroup blkio throttle
    (LP: #1683976)
    - block: fix module reference leak on put_disk() call for cgroups throttle

 -- Thadeu Lima de Souza Cascardo <email address hidden> Tue, 02 May 2017 15:14:50 -0300

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.