Bug 899192 (CVE-2014-3610) - VUL-0: kernel: kvm: various issues
Summary: VUL-0: kernel: kvm: various issues
Status: RESOLVED FIXED
: CVE-2014-3647 (view as bug list)
Alias: CVE-2014-3610
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Bruce Rogers
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:60050 maint:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-30 14:49 UTC by Marcus Meissner
Modified: 2019-05-21 14:41 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Patch set for SLE11-SP1-TD (48.04 KB, patch)
2015-04-09 04:31 UTC, Bruce Rogers 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-30 14:49:14 UTC 
EMBARGOED until October 18th.

PLEASE do not commit to OBS or other external repos or even our kernel git (as that is synced out).

CVE-2014-3646 kernel: kvm: vmx: invvpid vm exit not handled
        IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
        causes vm exit, which is currently not handled and causes unknown
        exit error to be propagated to userspace.

        A local unprivileged guest user could use this flaw to crash the
        guest.

        Reported by Advanced Threat Research team at Intel Security.
  

CVE-2014-3645 kernel: kvm: vmx: invept vm exit not handled
        On systems with invept instruction support (corresponding bit in
        IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invept
        causes vm exit, which is currently not handled and causes unknown
        exit error to be propagated to userspace.

        A local unprivileged guest user could use this flaw to crash the
        guest.

        Reported by Advanced Threat Research team at Intel Security.

        Upstream fix:

        http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bfd0a56b90005f8c8a004baf407ad90045c2b11e


CVE-2014-3611 kernel: kvm: PIT timer race condition
        There's a race condition in the PIT emulation code in KVM.  In
        __kvm_migrate_pit_timer the pit_timer object is accessed without
        synchronization.

        A local guest user with access to the PIT i/o ports could use this flaw to
        crash the host.

        Reported by Lars Bull of Google.


CVE-2014-3610 kernel: kvm: noncanonical MSR writes
        If the guest writes a noncanonical value to certain MSR registers, KVM will
        write that value to the MSR in the host context and a #GP will be raised
        leading to kernel panic.

        A privileged guest user can use this flaw to crash the host.

        Enabling CONFIG_PARAVIRT when building the kernel mitigates this issue
        because wrmsrl() ends up invoking safe msr write variant.

        Independently reported by Lars Bull of Google and Nadav Amit.


CVE-2014-3647 kernel: kvm: noncanonical rip after emulation
        kvm currently mishandles noncanonical addresses when emulating instructions
        that change rip (eg branches, calls), potentially causing a failed VM-entry.

        A guest user with access to I/O or MMIO region can use this flaw to crash the
        guest.

        Reported by Nadav Amit.
Comment 5 Marcus Meissner 2014-09-30 14:52:42 UTC 
actually kernel issues ... andreas, do you want to handle them or should i find a kernel guy?
Comment 6 Swamp Workflow Management 2014-10-01 12:07:56 UTC 
bugbot adjusting priority
Comment 7 SMASH SMASH 2014-10-01 14:05:10 UTC 
Affected packages:

SLE-11-SP3: kernel-source
SLE-12: kernel-source
Comment 8 Michal Marek 2014-10-20 10:21:44 UTC 
OK to merge the patches to the public SLE11-SP3 and SLE12 branches?
Comment 9 Bruce Rogers 2014-10-20 11:41:37 UTC 
That would be fine with me. Thanks.
Comment 10 Michal Hocko 2014-10-20 12:14:45 UTC 
Does this affect SLE11-SP1-TD branch?
Comment 11 Bruce Rogers 2014-10-21 10:17:00 UTC 
I imagine most of these vulnerabilities apply in one way or another.
Comment 13 Michal Marek 2014-11-10 10:20:38 UTC 
The patches have been merged into SLE11-SP3 and SLE12. openSUSE branches are missing.
Comment 14 Swamp Workflow Management 2014-12-23 18:13:48 UTC 
SUSE-SU-2014:1693-1: An update that solves 21 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 755743,779488,800255,835839,851603,853040,857643,860441,868049,873228,876633,883724,883948,885077,887418,888607,891211,891368,891790,892782,893758,894058,894895,895387,895468,896382,896390,896391,896392,896415,897502,897694,897708,898295,898375,898554,899192,899574,899843,901638,902346,902349,903331,903653,904013,904358,904700,905100,905522
CVE References: CVE-2012-4398,CVE-2013-2889,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-7263,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-4508,CVE-2014-4608,CVE-2014-7826,CVE-2014-7841,CVE-2014-8709,CVE-2014-8884
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-default-3.0.101-0.42.1, kernel-pae-3.0.101-0.42.1, kernel-source-3.0.101-0.42.1, kernel-syms-3.0.101-0.42.1, kernel-trace-3.0.101-0.42.1, kernel-xen-3.0.101-0.42.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-default-3.0.101-0.42.1, kernel-ec2-3.0.101-0.42.1, kernel-pae-3.0.101-0.42.1, kernel-source-3.0.101-0.42.1, kernel-syms-3.0.101-0.42.1, kernel-trace-3.0.101-0.42.1, kernel-xen-3.0.101-0.42.1, xen-4.2.5_02-0.7.2
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.27.115, gfs2-2-0.16.121, ocfs2-1.6-0.20.115
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-default-3.0.101-0.42.1, kernel-pae-3.0.101-0.42.1, kernel-source-3.0.101-0.42.1, kernel-syms-3.0.101-0.42.1, kernel-trace-3.0.101-0.42.1, kernel-xen-3.0.101-0.42.1, xen-4.2.5_02-0.7.2
SLE 11 SERVER Unsupported Extras (src):    kernel-default-3.0.101-0.42.1, kernel-pae-3.0.101-0.42.1, kernel-ppc64-3.0.101-0.42.1, kernel-xen-3.0.101-0.42.1
Comment 15 Swamp Workflow Management 2014-12-23 19:11:49 UTC 
SUSE-SU-2014:1695-1: An update that solves 24 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 755743,779488,800255,835839,851603,853040,857643,860441,868049,873228,876633,883724,883948,885077,887418,888607,891211,891368,891790,892782,893758,894058,894895,895387,895468,896382,896390,896391,896392,896415,897502,897694,897708,898295,898375,898554,899192,899574,899843,901638,902346,902349,903331,903653,904013,904358,904700,905100,905522,907818,909077,910251
CVE References: CVE-2012-4398,CVE-2013-2889,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-7263,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-4508,CVE-2014-4608,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-8709,CVE-2014-8884,CVE-2014-9090,CVE-2014-9322
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.46.1, kernel-default-3.0.101-0.46.1, kernel-source-3.0.101-0.46.1, kernel-syms-3.0.101-0.46.1, kernel-trace-3.0.101-0.46.1, kernel-xen-3.0.101-0.46.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.46.1, kernel-default-3.0.101-0.46.1, kernel-ec2-3.0.101-0.46.1, kernel-source-3.0.101-0.46.1, kernel-syms-3.0.101-0.46.1, kernel-trace-3.0.101-0.46.1, kernel-xen-3.0.101-0.46.1, xen-4.2.5_02-0.7.9
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.27.120, gfs2-2-0.16.126, ocfs2-1.6-0.20.120
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.46.1, kernel-default-3.0.101-0.46.1, kernel-source-3.0.101-0.46.1, kernel-syms-3.0.101-0.46.1, kernel-trace-3.0.101-0.46.1, kernel-xen-3.0.101-0.46.1, xen-4.2.5_02-0.7.9
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.46.1, kernel-default-3.0.101-0.46.1, kernel-xen-3.0.101-0.46.1
Comment 16 Swamp Workflow Management 2014-12-24 07:16:14 UTC 
SUSE-SU-2014:1693-2: An update that solves 21 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 755743,779488,800255,835839,851603,853040,857643,860441,868049,873228,876633,883724,883948,885077,887418,888607,891211,891368,891790,892782,893758,894058,894895,895387,895468,896382,896390,896391,896392,896415,897502,897694,897708,898295,898375,898554,899192,899574,899843,901638,902346,902349,903331,903653,904013,904358,904700,905100,905522
CVE References: CVE-2012-4398,CVE-2013-2889,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-7263,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-4508,CVE-2014-4608,CVE-2014-7826,CVE-2014-7841,CVE-2014-8709,CVE-2014-8884
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-default-3.0.101-0.42.1, kernel-ppc64-3.0.101-0.42.1, kernel-source-3.0.101-0.42.1, kernel-syms-3.0.101-0.42.1, kernel-trace-3.0.101-0.42.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.27.115, gfs2-2-0.16.121, ocfs2-1.6-0.20.115
Comment 17 Swamp Workflow Management 2015-01-14 18:16:03 UTC 
SUSE-SU-2014:1695-2: An update that solves 24 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 755743,779488,800255,835839,851603,853040,857643,860441,868049,873228,876633,883724,883948,885077,887418,888607,891211,891368,891790,892782,893758,894058,894895,895387,895468,896382,896390,896391,896392,896415,897502,897694,897708,898295,898375,898554,899192,899574,899843,901638,902346,902349,903331,903653,904013,904358,904700,905100,905522,907818,909077,910251
CVE References: CVE-2012-4398,CVE-2013-2889,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-7263,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-4508,CVE-2014-4608,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-8709,CVE-2014-8884,CVE-2014-9090,CVE-2014-9322
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.27.121, drbd-kmp-8.4.4-0.22.87, iscsitarget-1.4.20-0.38.106, kernel-rt-3.0.101.rt130-0.32.1, kernel-rt_trace-3.0.101.rt130-0.32.1, kernel-source-rt-3.0.101.rt130-0.32.1, kernel-syms-rt-3.0.101.rt130-0.32.1, lttng-modules-2.1.1-0.11.96, ocfs2-1.6-0.20.121, ofed-1.5.4.1-0.13.112
Comment 18 Swamp Workflow Management 2015-01-16 13:12:53 UTC 
SUSE-SU-2015:0068-1: An update that solves 11 vulnerabilities and has 62 fixes is now available.

Category: security (important)
Bug References: 851603,853040,860441,862957,863526,870498,873228,874025,877622,879255,880767,880892,881085,883139,887046,887382,887418,889295,889297,891259,891619,892254,892612,892650,892860,893454,894057,894863,895221,895387,895468,895680,895983,896391,897101,897736,897770,897912,898234,898297,899192,899489,899551,899785,899787,899908,900126,901090,901774,901809,901925,902010,902016,902346,902893,902898,903279,903307,904013,904077,904115,904354,904871,905087,905100,905296,905758,905772,907818,908184,909077,910251,910697
CVE References: CVE-2013-6405,CVE-2014-3185,CVE-2014-3610,CVE-2014-3611,CVE-2014-3647,CVE-2014-3673,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-9090,CVE-2014-9322
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.32-33.3, kernel-obs-build-3.12.32-33.1
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.32-33.1, kernel-syms-3.12.32-33.1
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.32-33.1, kernel-syms-3.12.32-33.1
Comment 19 Jiri Slaby 2015-02-16 12:44:10 UTC 
(In reply to Marcus Meissner from comment #1)
> Created attachment 608529 [details]
> CVE-2014-3610-patches.tgz

0001-KVM-x86-Prevent-guest-from-writing-non-canonical-MSR.patch
was not applied from the tar above. I don't see it anywhere in the linus tree, so I guess, this is intentional?
Comment 20 Swamp Workflow Management 2015-03-11 19:11:06 UTC 
SUSE-SU-2015:0481-1: An update that solves 34 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 771619,779488,833588,835839,847652,857643,864049,865442,867531,867723,870161,875051,876633,880892,883096,883948,887082,892490,892782,895680,896382,896390,896391,896392,897995,898693,899192,901885,902232,902346,902349,902351,902675,903640,904013,904700,905100,905312,905799,906586,907189,907338,907396,909078,912654,912705,915335
CVE References: CVE-2012-4398,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-2929,CVE-2013-7263,CVE-2014-0131,CVE-2014-0181,CVE-2014-2309,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-4943,CVE-2014-5471,CVE-2014-5472,CVE-2014-7826,CVE-2014-7841,CVE-2014-7842,CVE-2014-8134,CVE-2014-8369,CVE-2014-8559,CVE-2014-8709,CVE-2014-9584,CVE-2014-9585
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    kernel-default-3.0.101-0.7.29.1, kernel-ec2-3.0.101-0.7.29.1, kernel-pae-3.0.101-0.7.29.1, kernel-source-3.0.101-0.7.29.1, kernel-syms-3.0.101-0.7.29.1, kernel-trace-3.0.101-0.7.29.1, kernel-xen-3.0.101-0.7.29.1, xen-4.1.6_08-0.5.19
SLE 11 SERVER Unsupported Extras (src):    ext4-writeable-0-0.14.142, kernel-default-3.0.101-0.7.29.1, kernel-pae-3.0.101-0.7.29.1, kernel-xen-3.0.101-0.7.29.1
Comment 21 Swamp Workflow Management 2015-03-21 14:11:09 UTC 
openSUSE-SU-2015:0566-1: An update that solves 38 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 771619,778463,833588,835839,847652,853040,864049,865442,867531,867723,870161,875051,876633,880892,883096,883724,883948,887082,892490,892782,895680,896382,896390,896391,896392,897995,898693,899192,901885,902232,902346,902349,902351,902675,903640,904013,904700,905100,905312,905799,906586,907189,907338,907396,907818,909077,909078,910251,912654,912705,915335
CVE References: CVE-2012-4398,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-2929,CVE-2013-7263,CVE-2014-0131,CVE-2014-0181,CVE-2014-2309,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4508,CVE-2014-4608,CVE-2014-4943,CVE-2014-5471,CVE-2014-5472,CVE-2014-7826,CVE-2014-7841,CVE-2014-7842,CVE-2014-8133,CVE-2014-8134,CVE-2014-8369,CVE-2014-8559,CVE-2014-8709,CVE-2014-9090,CVE-2014-9322,CVE-2014-9584,CVE-2014-9585
Sources used:
openSUSE Evergreen 11.4 (src):    kernel-docs-3.0.101-99.2, kernel-source-3.0.101-99.1, kernel-syms-3.0.101-99.1, preload-1.2-6.77.1
Comment 22 Bruce Rogers 2015-03-27 17:20:07 UTC 
Two problems were identified with the patches for this bug. See bsc#924721. The fixes are being submitted.
Comment 23 Michal Hocko 2015-03-30 08:14:29 UTC 
(In reply to Bruce Rogers from comment #22)
> Two problems were identified with the patches for this bug. See bsc#924721.
> The fixes are being submitted.

Thanks for the heads but. I've already pushed the same changes to SLE11-SP3-TD branch.

But it seems that SLE11-SP1-TD fell through cracks... See comment 10 and 11. Could you please help me with this one Bruce?
Comment 24 Bruce Rogers 2015-03-30 21:57:50 UTC 
(In reply to Michal Hocko from comment #23)
> (In reply to Bruce Rogers from comment #22)
> > Two problems were identified with the patches for this bug. See bsc#924721.
> > The fixes are being submitted.
> 
> Thanks for the heads but. I've already pushed the same changes to
> SLE11-SP3-TD branch.
> 
> But it seems that SLE11-SP1-TD fell through cracks... See comment 10 and 11.
> Could you please help me with this one Bruce?

OK - will do.
Comment 27 Bruce Rogers 2015-04-09 04:31:14 UTC 
Created attachment 630426 [details]
Patch set for SLE11-SP1-TD

I don't have rights to check in to the TSLE11-SP1-TD branch. It should be all ready to go. Michal H., could you check it in?
Comment 28 Michal Hocko 2015-04-09 06:08:06 UTC 
(In reply to Bruce Rogers from comment #27)
> Created attachment 630426 [details]
> Patch set for SLE11-SP1-TD
> 
> I don't have rights to check in to the TSLE11-SP1-TD branch. It should be
> all ready to go. Michal H., could you check it in?

Done. Thanks a lot Bruce!
Comment 32 Swamp Workflow Management 2015-06-16 12:05:15 UTC 
SUSE-SU-2015:1071-1: An update that solves 13 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 899192,900881,909312,913232,914742,915540,916225,917125,919007,919018,920262,921769,922583,922734,922944,924664,924803,924809,925567,926156,926240,926314,927084,927115,927116,927257,927285,927308,927455,928122,928130,928135,928141,928708,929092,929145,929525,929883,930224,930226,930669,930786,931014,931130
CVE References: CVE-2014-3647,CVE-2014-8086,CVE-2014-8159,CVE-2015-1465,CVE-2015-2041,CVE-2015-2042,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3332,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.43-52.6.2, kernel-obs-build-3.12.43-52.6.2
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_5-1-2.3
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
Comment 33 Marcus Meissner 2015-12-08 14:25:33 UTC 
think we are all done here.
Comment 35 Marcus Meissner 2019-05-13 09:01:15 UTC 
*** Bug 1134834 has been marked as a duplicate of this bug. ***