ASA-2019-00085 – Linux kernel: Uninitialized memory leak in kvm_inject_page_fault()


Allele Security Alert

ASA-2019-00085

Identifier(s)

ASA-2019-00085, CVE-2019-7222

Title

Uninitialized memory leak in kvm_inject_page_fault()

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 5.0

Linux kernel versions 4.20.x before 4.20.8
Linux kernel versions 4.19.x before 4.19.21
Linux kernel versions 4.14.x before 4.14.99
Linux kernel versions 4.9.x before 4.9.156
Linux kernel versions 4.4.x before 4.4.175
Linux kernel versions 3.18.x before 3.18.135
Linux kernel versions 3.16.x before 3.16.64

Fixed version(s)

Linux kernel version 5.0

Linux kernel version 4.20.8
Linux kernel version 4.19.21
Linux kernel version 4.14.99
Linux kernel version 4.9.156
Linux kernel version 4.4.175
Linux kernel version 3.18.135
Linux kernel version 3.16.64

Linux kernel versions with the following commit applied:

KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=353c0956a618a07ba4bbe7ad00ff29fe70e8412a

Proof of concept

Yes

Description

An information leakage issue was found in the way Linux kernel’s KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a MMIO address, as the returned exception object holds uninitialized stack memory contents. A guest user/process could use this flaw to leak host’s stack memory contents to a guest.

Technical details

A number of functions in KVM pass an unitialized x86_exception struct to kvm_read_guest_virt and trigger a page-fault exception using this struct if kvm_read_guest_virt returns an error value:

struct x86_exception e;

...
if (kvm_read_guest_virt(vcpu, gva, vmpointer, sizeof(*vmpointer), &e)) {
kvm_inject_page_fault(vcpu, &e);
return 1;
}

However, kvm_read_guest_virt can return an error without initializing the exception struct when it is being called on an address used for MMIO:

static int kvm_read_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
struct kvm_vcpu *vcpu, u32 access,
struct x86_exception *exception)
{
void *data = val;
int r = X86EMUL_CONTINUE;

while (bytes) {
....
ret = kvm_vcpu_read_guest_page(vcpu, gpa >> PAGE_SHIFT, data,
offset, toread);
if (ret < 0) {
r = X86EMUL_IO_NEEDED;
goto out;
}

....
}
out:
return r;
}

In this case kvm_inject_page_fault leaks uninitialized stack memory to the guest as part of cr2 and the error code. An invalid error code can lead to an vm entry failure so a guest-only attacker needs to be careful about choosing a valid leak target.

Credits

Felix Wilhelm (Google Project Zero)

Reference(s)

Issue 1759: KVM: uninitialized memory leak in kvm_inject_page_fault
https://bugs.chromium.org/p/project-zero/issues/detail?id=1759&desc=2

KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=353c0956a618a07ba4bbe7ad00ff29fe70e8412a

KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
https://github.com/torvalds/linux/commit/353c0956a618a07ba4bbe7ad00ff29fe70e8412a

Linux 5.0
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0

Linux 4.20.8
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.8

Linux 4.19.21
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.21

Linux 4.14.99
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.99

Linux 4.9.156
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.156

Linux 4.4.175
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.175

Linux 3.18.135
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.135

Linux 3.16.64
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.64

CVE-2019-7222 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-7222

CVE-2019-7222 | SUSE
https://www.suse.com/security/cve/CVE-2019-7222

CVE-2019-7222
https://security-tracker.debian.org/tracker/CVE-2019-7222

CVE-2019-7222 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7222.html

CVE-2019-7222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7222

CVE-2019-7222
https://nvd.nist.gov/vuln/detail/CVE-2019-7222

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.