Bugzilla – Bug 980829
VUL-0: CVE-2016-4440: kernel: kvm: vmx: incorrect state update leading to MSR access
Last modified: 2020-07-27 18:16:29 UTC
rh#1337806 Linux kernel built with the Kernel-based virtual machine(CONFIG_KVM) along with Hyper-v Synthetic Interrupt Controller(SynIC) support is vulnerable to an undue APIC register access issue. In that a guest with SynIC enabled, could gain access to host's Machine Specific Registers(MSR). A privileged user inside guest could use this flaw to crash the host kernel resulting in DoS OR potentially leverage it to escalate privileges on the host. Upstream patch: --------------- -> http://permalink.gmane.org/gmane.comp.emulators.kvm.devel/152191 Reference: ---------- -> http://comments.gmane.org/gmane.comp.emulators.kvm.devel/152100 Note: It requires fairly latest features to be available and enabled on the host(APICv) as well as in the guest(-hv-synic). References: https://bugzilla.redhat.com/show_bug.cgi?id=1337806 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4440 http://seclists.org/oss-sec/2016/q2/380
bugbot adjusting priority
Okay, I checked SLE12-SP2, and it is not affected as it does not implement the KVM_CAP_HYPERV_SYNIC extension of KVM. The problem was introduced with upstream commit 5c919412fe61 ('kvm/x86: Hyper-V synthetic interrupt controller'). The upstream fix is patch 3ce424e45411 ('kvm:vmx: more complete state update on APICv on/off') which has no 'Fixes:' or 'stable' tags. The problem was introduced in kernel v4.5 and will be fixed in kernel v4.7. This means that v4.5 and v4.6 are affected. We don't use any of these kernel versions in our commercial or community products (yet).
Our products are not affected by this CVE. Assigning back to security team.
ok!