Prevent arm64 guest from accessing host debug registers
Bug #1860657 reported by
Tyler Hicks
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Committed
|
Medium
|
Thadeu Lima de Souza Cascardo | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Disco |
Won't Fix
|
Undecided
|
Unassigned | ||
Eoan |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Committed
|
Medium
|
Thadeu Lima de Souza Cascardo |
Bug Description
[Impact]
Guests could access host debug/PMU registers. This could happen very briefly before they are first preempted.
This only affects arm64 CPUs that support virtualization.
[Regression potential]
This could break virtualization or guest access to PMU registers.
[Test case]
A guest has been run with a host with the patched kernel. perf top has been run on the guest. Using uvtool:
host$ sudo apt install uvtool qemu-efi-aarch64
host$ uvt-kvm create test release=eoan arch=arm64
host$ uvt-kvm ssh test
guest$ sudo perf top
CVE References
information type: | Private Security → Public Security |
summary: |
- Placeholder bug + arm64/KVM debug registers vulnerability |
description: | updated |
summary: |
- arm64/KVM debug registers vulnerability + Prevent arm64 guest from accessing host debug registers |
description: | updated |
Changed in linux (Ubuntu Focal): | |
status: | Triaged → Fix Committed |
Changed in linux (Ubuntu Eoan): | |
status: | New → In Progress |
Changed in linux (Ubuntu Disco): | |
status: | New → In Progress |
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | Fix Committed → Won't Fix |
To post a comment you must log in.
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- bionic' to 'verification- done-bionic' . If the problem still exists, change the tag 'verification- needed- bionic' to 'verification- failed- bionic' .
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!