linux_3.13.0-*.*: nVMX: Check current_vmcs12 before accessing in handle_invept()

Hello and thank you for the bug report!

I don't see an existing CVE assigned to this issue. CVE-2014-3645 affects a similar area of the kernel source but it has a different impact and is not the same issue.

We need a little bit of time to verify the report. Thank you for such a clear description.

I have verified the host kernel BUG using a 14.04 host and guest combination:

[11266.585362] BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
[11266.585396] IP: [<ffffffffa0321ca3>] handle_invept+0x123/0x170 [kvm_intel]
[11266.585430] PGD 0
[11266.585436] Oops: 0000 [#1] SMP
[11266.585452] Modules linked in: vhost_net vhost macvtap macvlan ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT xt_CHECKSUM iptable_mangle xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter ip_tables ebtable_nat ebtables x_tables kvm_intel snd_hda_intel snd_hda_codec snd_hwdep snd_pcm kvm snd_page_alloc crct10dif_pclmul snd_seq_midi crc32_pclmul snd_seq_midi_event ghash_clmulni_intel snd_rawmidi aesni_intel aes_x86_64 lrw gf128mul snd_seq glue_helper qxl ablk_helper cryptd snd_seq_device ttm snd_timer drm_kms_helper drm snd serio_raw rfcomm bnep bluetooth soundcore i2c_piix4 mac_hid parport_pc ppdev lp parport psmouse pata_acpi floppy [last unloaded: kvm_intel]
[11266.585506] CPU: 0 PID: 14128 Comm: qemu-system-x86 Not tainted 3.13.0-116-generic #163-Ubuntu
[11266.585509] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[11266.585511] task: ffff88001d1dc800 ti: ffff88003d544000 task.ti: ffff88003d544000
[11266.585513] RIP: 0010:[<ffffffffa0321ca3>] [<ffffffffa0321ca3>] handle_invept+0x123/0x170 [kvm_intel]
[11266.585523] RSP: 0018:ffff88003d545cb0 EFLAGS: 00010246
[11266.585525] RAX: 0000000000000000 RBX: ffff88003cd38000 RCX: 0000000000000000
[11266.585527] RDX: 0007fffffffff000 RSI: 00007f522360dd18 RDI: ffff88003d545cd8
[11266.585528] RBP: ffff88003d545cf0 R08: 0000000000000000 R09: 0000000000000010
[11266.585529] R10: 0000000000000000 R11: ffff88001f60da1e R12: 0000000000000001
[11266.585531] R13: 000000001061c100 R14: ffff88001d1dc800 R15: ffff88003cd38030
[11266.585533] FS: 00007f523085f700(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[11266.585535] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[11266.585536] CR2: 0000000000000070 CR3: 0000000036bb6000 CR4: 00000000001427f0
[11266.585545] Stack:
[11266.585547] ffff88001f60dd08 ffff88003d545cf0 ffffffffa031f7b6 0000000000000000
[11266.585550] 0000000000000000 ffff88003cd38000 0000000000000032 0000000000000000
[11266.585553] ffff88003d545d40 ffffffffa032347d ffffffffffffff10 ffffffff00000000
[11266.585556] Call Trace:
[11266.585571] [<ffffffffa031f7b6>] ? handle_vmon+0x106/0x160 [kvm_intel]
[11266.585577] [<ffffffffa032347d>] vmx_handle_exit+0xbd/0x8e0 [kvm_intel]
[11266.585677] [<ffffffffa02230e5>] vcpu_enter_guest+0x8b5/0xd80 [kvm]
[11266.585684] [<ffffffffa031f0b8>] ? vmx_deliver_posted_interrupt+0x38/0x90 [kvm_intel]
[11266.585702] [<ffffffffa0242165>] ? kvm_apic_local_deliver+0x65/0x70 [kvm]
[11266.585718] [<ffffffffa02275f8>] kvm_arch_vcpu_ioctl_run+0x1e8/0x460 [kvm]
[11266.585729] [<ffffffffa0210fe2>] kvm_vcpu_ioctl+0x2a2/0x600 [kvm]
[11266.585779] [<ffffffff810dcfd1>] ? futex_wake+0x1b1/0x1d0
[11266.585794] [<ffffffff811d5ad0>] do_vfs_ioctl+0x2e0/0x4c0
[11266.585797] [<ffffffff811d5d31>] SyS_ioctl+0x81/0xa0
[11266.585824] [<...

Thanks for confirmation.

> I don't see an existing CVE assigned to this issue. CVE-2014-3645 affects a similar area of the kernel source but > it has a different impact and is not the same issue.

Yeah, probably we've found this problem for the first time (as long as I've searched through the git.kernel.org) and I have no idea about reporting it to some security authority (CERT/CC? or something??) by myself.

I can request the CVE and coordinate with other Linux distributions but I'd like the kernel team to verify the fix before I do that.

That's what I expected. Thanks.

Hi minoura - I was able to verify that your proposed fix does prevent the NULL pointer exception. I had a question about the fix as I'm not very familiar with the code in vmx.c. Should we also check if to_vmx(vcpu)->nested.current_vmcs12 is NULL and, if so, break? I'm not clear if current_vmptr and current_vmcs12 are always guaranteed to have corresponding values.

It looks to me that both variables are updated in lock-step. Also, I see that nested_vmx_failValid() and nested_vmx_check_vmcs12() both only check current_vmptr so perhaps that is sufficient.

Yeah, actually I copied it from the other parts in vmx.c, such as nested_vmx_check_vmcs12, called from handle_vmwrite and others.

Thanks!

I'm making this bug public since all the details and PoC are already public here:

  https://bugzilla.kernel.org/show_bug.cgi?id=195167

I think the original bug description is incorrect about which kernel versions are affected. It looks to me like the flaw was introduced in 3.12:

$ git describe --contains bfd0a56b90005f8c8a004baf407ad90045c2b11e
v3.12-rc1~143^2~30

It was fixed in 3.16:

$ git describe --contains 4b855078601fc422dbac3059f2215e776f49780f
v3.16-rc4~21^2^2~33

3.12 through 3.15 are affected. In Ubuntu, only Ubuntu 14.04 is affected.

This is CVE-2017-8106.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Tested with linux-image-3.13.0-119-generic 3.13.0-119.166 and confirmed the problem disappeared. Thanks!

This bug was fixed in the package linux - 3.13.0-119.166

---------------
linux (3.13.0-119.166) trusty; urgency=low

  * linux: 3.13.0-119.166 -proposed tracker (LP: #1687718)

  * CVE-2016-8645: Linux kernel mishandles socket buffer (skb) truncation
    (LP: #1687107)
    - rose: limit sk_filter trim to payload
    - tcp: take care of truncations done by sk_filter()

linux (3.13.0-118.165) trusty; urgency=low

  * linux: 3.13.0-118.165 -proposed tracker (LP: #1686154)

  * linux_3.13.0-*.*: nVMX: Check current_vmcs12 before accessing in
    handle_invept() (LP: #1678676)
    - SAUCE: KVM has a flaw in INVEPT emulation that could crash the host

  * Please backport fix to reference leak in cgroup blkio throttle
    (LP: #1683976)
    - block: fix module reference leak on put_disk() call for cgroups throttle

 -- Thadeu Lima de Souza Cascardo <email address hidden> Tue, 02 May 2017 15:14:50 -0300