[SRU Bionic, Focal, Jammy, Kinetic, OEM-5.17, OEM-6.0 PATCH v2 0/1] CVE-2023-30456

[Cengiz Can]

[Impact]
An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before
6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.

>From the Ubuntu Security Team:

Reima Ishii discovered that the nested KVM implementation for Intel x86
processors in the Linux kernel did not properly validate control registers in
certain situations. An attacker in a guest VM could use this to cause a denial
of service (guest crash).

[Fix]
OEM-6.1 already has the fix.
Cherry picked from upstream to Jammy, OEM-5.17, Kinetic and OEM-6.0. 
Cherry picked from linux-5.4.y to Focal.
Cherry picked from linux-4.19.y to Bionic.
Backported the fix from Bionic to Xenial with some modifications.

v2: Fix wrong CVE number in commit bodies.

[Test case]
This was super cumbersome to test. I had to spin up more than a dozen bare metal
instances in AWS in order to test L0->L1->L2 KVM virtualization. 

I did perform basic nested KVM smoke tests using following combinations:

Host     | Level 1  | Level 2
-------------------------------
OEM-6.0  | OEM-6.0  | OEM-6.0
OEM-5.17 | OEM-5.17 | OEM-5.17
4.15     | 4.15     | 4.15

5.15 and 5.19 were only boot tested.

Following kernels were tested with kvm-unit-tests suite, with & without the fix:

4.4, 4.15, 5.4.

Test results remained same with the fix. (On Bionic, some tests even improved
with the fix applied).

[Potential regression]
Medium. Xenial backport modifies a block that was untouched since 2013 and needs
to be reviewed very carefully.

Paolo Bonzini (1):
  KVM: nVMX: add missing consistency checks for CR0 and CR4

 arch/x86/kvm/vmx/nested.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

-- 
2.37.2