Prevent arm64 guest from accessing host debug registers

Bug #1860657 reported by Tyler Hicks on 2020-01-23
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Focal
Bionic
Undecided
Unassigned
Disco
Undecided
Unassigned
Eoan
Undecided
Unassigned
Focal
Medium
Thadeu Lima de Souza Cascardo

Bug Description

[Impact]
Guests could access host debug/PMU registers. This could happen very briefly before they are first preempted.
This only affects arm64 CPUs that support virtualization.

[Regression potential]
This could break virtualization or guest access to PMU registers.

[Test case]
A guest has been run with a host with the patched kernel. perf top has been run on the guest. Using uvtool:

host$ sudo apt install uvtool qemu-efi-aarch64
host$ uvt-kvm create test release=eoan arch=arm64
host$ uvt-kvm ssh test
guest$ sudo perf top

Tyler Hicks (tyhicks) on 2020-01-31
information type: Private Security → Public Security
summary: - Placeholder bug
+ arm64/KVM debug registers vulnerability
description: updated
summary: - arm64/KVM debug registers vulnerability
+ Prevent arm64 guest from accessing host debug registers
description: updated
Changed in linux (Ubuntu Focal):
status: Triaged → Fix Committed
Changed in linux (Ubuntu Eoan):
status: New → In Progress
Changed in linux (Ubuntu Disco):
status: New → In Progress
Changed in linux (Ubuntu Bionic):
status: New → In Progress
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Eoan):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-eoan

All autopkgtests for the newly accepted linux-bluefield (5.0.0-1010.20) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

fsprotect/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-bluefield

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Launchpad Janitor (janitor) wrote :
Download full text (48.0 KiB)

This bug was fixed in the package linux - 5.3.0-42.34

---------------
linux (5.3.0-42.34) eoan; urgency=medium

  * eoan/linux: 5.3.0-42.34 -proposed tracker (LP: #1865111)

  * CVE-2020-2732
    - KVM: nVMX: Don't emulate instructions in guest mode
    - KVM: nVMX: Refactor IO bitmap checks into helper function
    - KVM: nVMX: Check IO instruction VM-exit conditions

linux (5.3.0-41.33) eoan; urgency=medium

  * eoan/linux: 5.3.0-41.33 -proposed tracker (LP: #1863294)

  * CVE-2019-3016
    - x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit
    - x86/kvm: Introduce kvm_(un)map_gfn()
    - x86/kvm: Cache gfn to pfn translation
    - x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed
    - x86/KVM: Clean up host's steal time structure

  * Reduce s2idle power consumption when ethernet cable is connected on e1000e
    (LP: #1859126)
    - e1000e: Add support for S0ix

  * alsa/sof: let legacy hda driver and sof driver co-exist (LP: #1837828)
    - ASoC: Intel: Skylake: move NHLT header to common directory
    - ALSA: hda: move parts of NHLT code to new module
    - ALSA: hda: intel-nhlt: handle NHLT VENDOR_DEFINED DMIC geometry
    - ASoC: Intel: Skylake: use common NHLT module
    - ALSA: hda/intel: stop probe if DMICS are detected on Skylake+ platforms
    - [Config] Enable SND_HDA_INTEL_DETECT_DMIC

  * USB key cannot be detected by hotplug on Sunix USB Type-A 3.1 Gen 2 card
    [1b21:2142] (LP: #1858988)
    - SAUCE: PCI: Avoid ASMedia XHCI USB PME# from D0 defect

  * ipsec interfaces: fix sending with bpf_redirect() / AF_PACKET sockets
    (LP: #1860969)
    - vti[6]: fix packet tx through bpf_redirect()
    - xfrm interface: fix packet tx through bpf_redirect()

  * peripheral devices on Dell WD19TB cannot be detected after suspend resume
    (LP: #1859407)
    - PCI: irq: Introduce rearm_wake_irq()
    - ACPICA: Return u32 from acpi_dispatch_gpe()
    - ACPI: EC: Return bool from acpi_ec_dispatch_gpe()
    - ACPI: PM: Set s2idle_wakeup earlier and clear it later
    - PM: sleep: Simplify suspend-to-idle control flow
    - ACPI: EC: Rework flushing of pending work

  * Dell XPS 13 (7390) Display Flickering - 19.10 (LP: #1849947)
    - SAUCE: drm/i915: Disable PSR by default on all platforms

  * Root can lift kernel lockdown via USB/IP (LP: #1861238)
    - Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
      lockdown"

  * [CML-H] Add intel_thermal_pch driver support Comet Lake -H (LP: #1853219)
    - thermal: intel: intel_pch_thermal: Add Comet Lake (CML) platform support

  * Eoan update: upstream stable patchset 2020-02-07 (LP: #1862429)
    - ARM: dts: meson8: fix the size of the PMU registers
    - clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs
    - dt-bindings: reset: meson8b: fix duplicate reset IDs
    - ARM: dts: imx6q-dhcom: fix rtc compatible
    - clk: Don't try to enable critical clocks if prepare failed
    - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use
    - iio: buffer: align the size of scan bytes to size of the largest element
    - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
    - USB: serial: option: Add support for Quec...

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (44.4 KiB)

This bug was fixed in the package linux - 4.15.0-91.92

---------------
linux (4.15.0-91.92) bionic; urgency=medium

  * bionic/linux: 4.15.0-91.92 -proposed tracker (LP: #1865109)

  * CVE-2020-2732
    - KVM: x86: emulate RDPID
    - KVM: nVMX: Don't emulate instructions in guest mode
    - KVM: nVMX: Refactor IO bitmap checks into helper function
    - KVM: nVMX: Check IO instruction VM-exit conditions

linux (4.15.0-90.91) bionic; urgency=medium

  * bionic/linux: 4.15.0-90.91 -proposed tracker (LP: #1864753)

  * dkms artifacts may expire from the pool (LP: #1850958)
    - [Packaging] autoreconstruct -- manage executable debian files
    - [packaging] handle downloads from the librarian better

linux (4.15.0-90.90) bionic; urgency=medium

  * bionic/linux: 4.15.0-90.90 -proposed tracker (LP: #1864753)

  * vm-segv from ubuntu_stress_smoke_test failed on B (LP: #1864063)
    - Revert "apparmor: don't try to replace stale label in ptrace access check"

linux (4.15.0-89.89) bionic; urgency=medium

  * bionic/linux: 4.15.0-89.89 -proposed tracker (LP: #1863350)

  * [SRU][B/OEM-B] Fix multitouch support on some devices (LP: #1862567)
    - HID: core: move the dynamic quirks handling in core
    - HID: quirks: move the list of special devices into a quirk
    - HID: core: move the list of ignored devices in hid-quirks.c
    - HID: core: remove the absolute need of hid_have_special_driver[]

  * [linux] Patch to prevent possible data corruption (LP: #1848739)
    - blk-mq: silence false positive warnings in hctx_unlock()

  * Add bpftool to linux-tools-common (LP: #1774815)
    - tools/bpftool: fix bpftool build with bintutils >= 2.9
    - bpftool: make libbfd optional
    - [Debian] Remove binutils-dev build dependency
    - [Debian] package bpftool in linux-tools-common

  * Root can lift kernel lockdown via USB/IP (LP: #1861238)
    - Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
      lockdown"

  * [Bionic] i915 incomplete fix for CVE-2019-14615 (LP: #1862840) //
    CVE-2020-8832
    - drm/i915: Use same test for eviction and submitting kernel context
    - drm/i915: Define an engine class enum for the uABI
    - drm/i915: Force the switch to the i915->kernel_context
    - drm/i915: Move GT powersaving init to i915_gem_init()
    - drm/i915: Move intel_init_clock_gating() to i915_gem_init()
    - drm/i915: Inline intel_modeset_gem_init()
    - drm/i915: Mark the context state as dirty/written
    - drm/i915: Record the default hw state after reset upon load

  * Bionic update: upstream stable patchset 2020-02-12 (LP: #1863019)
    - xfs: Sanity check flags of Q_XQUOTARM call
    - mfd: intel-lpss: Add default I2C device properties for Gemini Lake
    - powerpc/archrandom: fix arch_get_random_seed_int()
    - tipc: fix wrong timeout input for tipc_wait_for_cond()
    - mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
    - crypto: sun4i-ss - fix big endian issues
    - drm/sti: do not remove the drm_bridge that was never added
    - drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
    - ALSA: hda: fix unused variable warning
    - apparmor: don't try to replace stale label in ptrace access chec...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Ubuntu SRU Bot (ubuntu-sru-bot) wrote :

All autopkgtests for the newly accepted linux-bluefield (5.0.0-1010.20) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

fsprotect/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-bluefield

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers