Allele Security Intelligence - ASA-2019-00085 – Linux kernel: Uninitialized memory leak in kvm_inject_page

Allele Security Alert

ASA-2019-00085

Identifier(s)

ASA-2019-00085, CVE-2019-7222

Title

Uninitialized memory leak in kvm_inject_page_fault()

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 5.0

Linux kernel versions 4.20.x before 4.20.8
Linux kernel versions 4.19.x before 4.19.21
Linux kernel versions 4.14.x before 4.14.99
Linux kernel versions 4.9.x before 4.9.156
Linux kernel versions 4.4.x before 4.4.175
Linux kernel versions 3.18.x before 3.18.135
Linux kernel versions 3.16.x before 3.16.64

Fixed version(s)

Linux kernel version 5.0

Linux kernel version 4.20.8
Linux kernel version 4.19.21
Linux kernel version 4.14.99
Linux kernel version 4.9.156
Linux kernel version 4.4.175
Linux kernel version 3.18.135
Linux kernel version 3.16.64

Linux kernel versions with the following commit applied:

KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=353c0956a618a07ba4bbe7ad00ff29fe70e8412a

Proof of concept

Yes

Description

An information leakage issue was found in the way Linux kernel’s KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a MMIO address, as the returned exception object holds uninitialized stack memory contents. A guest user/process could use this flaw to leak host’s stack memory contents to a guest.

Technical details

A number of functions in KVM pass an unitialized x86_exception struct to kvm_read_guest_virt and trigger a page-fault exception using this struct if kvm_read_guest_virt returns an error value:

struct x86_exception e;

...
if (kvm_read_guest_virt(vcpu, gva, vmpointer, sizeof(*vmpointer), &e)) {
kvm_inject_page_fault(vcpu, &e);
return 1;
}

However, kvm_read_guest_virt can return an error without initializing the exception struct when it is being called on an address used for MMIO:

static int kvm_read_guest_virt_helper(gva_t addr, void *val, unsigned int bytes,
struct kvm_vcpu *vcpu, u32 access,
struct x86_exception *exception)
{
void *data = val;
int r = X86EMUL_CONTINUE;

while (bytes) {
....
ret = kvm_vcpu_read_guest_page(vcpu, gpa >> PAGE_SHIFT, data,
offset, toread);
if (ret < 0) {
r = X86EMUL_IO_NEEDED;
goto out;
}

....
}
out:
return r;
}

In this case kvm_inject_page_fault leaks uninitialized stack memory to the guest as part of cr2 and the error code. An invalid error code can lead to an vm entry failure so a guest-only attacker needs to be careful about choosing a valid leak target.