APPLIED[K/J/F/B]: [SRU Bionic, Focal, Jammy, Kinetic, OEM-5.17, OEM-6.0 PATCH v2 0/1] CVE-2023-30456

Stefan Bader stefan.bader at canonical.com
Wed May 3 07:53:44 UTC 2023 

On 27.04.23 15:27, Cengiz Can wrote:
> [Impact]
> An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before
> 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.
> 
>  From the Ubuntu Security Team:
> 
> Reima Ishii discovered that the nested KVM implementation for Intel x86
> processors in the Linux kernel did not properly validate control registers in
> certain situations. An attacker in a guest VM could use this to cause a denial
> of service (guest crash).
> 
> [Fix]
> OEM-6.1 already has the fix.
> Cherry picked from upstream to Jammy, OEM-5.17, Kinetic and OEM-6.0.
> Cherry picked from linux-5.4.y to Focal.
> Cherry picked from linux-4.19.y to Bionic.
> Backported the fix from Bionic to Xenial with some modifications.
> 
> v2: Fix wrong CVE number in commit bodies.
> 
> [Test case]
> This was super cumbersome to test. I had to spin up more than a dozen bare metal
> instances in AWS in order to test L0->L1->L2 KVM virtualization.
> 
> I did perform basic nested KVM smoke tests using following combinations:
> 
> Host     | Level 1  | Level 2
> -------------------------------
> OEM-6.0  | OEM-6.0  | OEM-6.0
> OEM-5.17 | OEM-5.17 | OEM-5.17
> 4.15     | 4.15     | 4.15
> 
> 5.15 and 5.19 were only boot tested.
> 
> Following kernels were tested with kvm-unit-tests suite, with & without the fix:
> 
> 4.4, 4.15, 5.4.
> 
> Test results remained same with the fix. (On Bionic, some tests even improved
> with the fix applied).
> 
> [Potential regression]
> Medium. Xenial backport modifies a block that was untouched since 2013 and needs
> to be reviewed very carefully.
> 
> Paolo Bonzini (1):
>    KVM: nVMX: add missing consistency checks for CR0 and CR4
> 
>   arch/x86/kvm/vmx/nested.c | 10 ++++++++--
>   1 file changed, 8 insertions(+), 2 deletions(-)
> 

Applied to kinetic,jammy,focal,bionic:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230503/37a39c4a/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230503/37a39c4a/attachment-0001.sig>

More information about the kernel-team mailing list