ASA-2019-00085 – Linux kernel: Uninitialized memory leak in kvm_inject_page_fault()

Allele Security Alert



ASA-2019-00085, CVE-2019-7222


Uninitialized memory leak in kvm_inject_page_fault()


Linux foundation


Linux kernel

Affected version(s)

Linux kernel versions before 5.0

Linux kernel versions 4.20.x before 4.20.8
Linux kernel versions 4.19.x before 4.19.21
Linux kernel versions 4.14.x before 4.14.99
Linux kernel versions 4.9.x before 4.9.156
Linux kernel versions 4.4.x before 4.4.175
Linux kernel versions 3.18.x before 3.18.135
Linux kernel versions 3.16.x before 3.16.64

Fixed version(s)

Linux kernel version 5.0

Linux kernel version 4.20.8
Linux kernel version 4.19.21
Linux kernel version 4.14.99
Linux kernel version 4.9.156
Linux kernel version 4.4.175
Linux kernel version 3.18.135
Linux kernel version 3.16.64

Linux kernel versions with the following commit applied:

KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)

Proof of concept



An information leakage issue was found in the way Linux kernel’s KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a MMIO address, as the returned exception object holds uninitialized stack memory contents. A guest user/process could use this flaw to leak host’s stack memory contents to a guest.

Technical details

A number of functions in KVM pass an unitialized x86_exception struct to kvm_read_guest_virt and trigger a page-fault exception using this struct if kvm_read_guest_virt returns an error value:

struct x86_exception e;

if (kvm_read_guest_virt(vcpu, gva, vmpointer, sizeof(*vmpointer), &e)) {
kvm_inject_page_fault(vcpu, &e);
return 1;

However, kvm_read_guest_virt can return an error without initializing the exception struct when it is being called on an address used for MMIO:

static int kvm_read_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
struct kvm_vcpu *vcpu, u32 access,
struct x86_exception *exception)
void *data = val;

while (bytes) {
ret = kvm_vcpu_read_guest_page(vcpu, gpa >> PAGE_SHIFT, data,
offset, toread);
if (ret < 0) {
goto out;

return r;

In this case kvm_inject_page_fault leaks uninitialized stack memory to the guest as part of cr2 and the error code. An invalid error code can lead to an vm entry failure so a guest-only attacker needs to be careful about choosing a valid leak target.


Felix Wilhelm (Google Project Zero)


Issue 1759: KVM: uninitialized memory leak in kvm_inject_page_fault

KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)

KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)

Linux 5.0

Linux 4.20.8

Linux 4.19.21

Linux 4.14.99

Linux 4.9.156

Linux 4.4.175

Linux 3.18.135

Linux 3.16.64

CVE-2019-7222 - Red Hat Customer Portal

CVE-2019-7222 | SUSE


CVE-2019-7222 in Ubuntu



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.