Allele Security Alert
ASA-2019-00085
Identifier(s)
ASA-2019-00085, CVE-2019-7222
Title
Uninitialized memory leak in kvm_inject_page_fault()
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel versions before 5.0
Linux kernel versions 4.20.x before 4.20.8
Linux kernel versions 4.19.x before 4.19.21
Linux kernel versions 4.14.x before 4.14.99
Linux kernel versions 4.9.x before 4.9.156
Linux kernel versions 4.4.x before 4.4.175
Linux kernel versions 3.18.x before 3.18.135
Linux kernel versions 3.16.x before 3.16.64
Fixed version(s)
Linux kernel version 5.0
Linux kernel version 4.20.8
Linux kernel version 4.19.21
Linux kernel version 4.14.99
Linux kernel version 4.9.156
Linux kernel version 4.4.175
Linux kernel version 3.18.135
Linux kernel version 3.16.64
Linux kernel versions with the following commit applied:
KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=353c0956a618a07ba4bbe7ad00ff29fe70e8412a
Proof of concept
Yes
Description
An information leakage issue was found in the way Linux kernel’s KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a MMIO address, as the returned exception object holds uninitialized stack memory contents. A guest user/process could use this flaw to leak host’s stack memory contents to a guest.
Technical details
A number of functions in KVM pass an unitialized x86_exception struct to kvm_read_guest_virt and trigger a page-fault exception using this struct if kvm_read_guest_virt returns an error value:
struct x86_exception e; ... if (kvm_read_guest_virt(vcpu, gva, vmpointer, sizeof(*vmpointer), &e)) { kvm_inject_page_fault(vcpu, &e); return 1; }
However, kvm_read_guest_virt can return an error without initializing the exception struct when it is being called on an address used for MMIO:
static int kvm_read_guest_virt_helper(gva_t addr, void *val, unsigned int bytes, struct kvm_vcpu *vcpu, u32 access, struct x86_exception *exception) { void *data = val; int r = X86EMUL_CONTINUE; while (bytes) { .... ret = kvm_vcpu_read_guest_page(vcpu, gpa >> PAGE_SHIFT, data, offset, toread); if (ret < 0) { r = X86EMUL_IO_NEEDED; goto out; } .... } out: return r; }
In this case kvm_inject_page_fault leaks uninitialized stack memory to the guest as part of cr2 and the error code. An invalid error code can lead to an vm entry failure so a guest-only attacker needs to be careful about choosing a valid leak target.
Credits
Felix Wilhelm (Google Project Zero)
Reference(s)
Issue 1759: KVM: uninitialized memory leak in kvm_inject_page_fault
https://bugs.chromium.org/p/project-zero/issues/detail?id=1759&desc=2
KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=353c0956a618a07ba4bbe7ad00ff29fe70e8412a
KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
https://github.com/torvalds/linux/commit/353c0956a618a07ba4bbe7ad00ff29fe70e8412a
Linux 5.0
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0
Linux 4.20.8
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.8
Linux 4.19.21
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.21
Linux 4.14.99
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.99
Linux 4.9.156
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.156
Linux 4.4.175
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.175
Linux 3.18.135
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.135
Linux 3.16.64
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.64
CVE-2019-7222 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-7222
CVE-2019-7222 | SUSE
https://www.suse.com/security/cve/CVE-2019-7222
CVE-2019-7222
https://security-tracker.debian.org/tracker/CVE-2019-7222
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-7222.html
CVE-2019-7222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7222
CVE-2019-7222
https://nvd.nist.gov/vuln/detail/CVE-2019-7222
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 29, 2019