APPLIED [OEM-5.17/OEM-6.0] Re: [SRU Bionic, Focal, Jammy, Kinetic, OEM-5.17, OEM-6.0 PATCH v2 0/1] CVE-2023-30456

[Timo Aaltonen]

Cengiz Can kirjoitti 27.4.2023 klo 16.27:
> [Impact]
> An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before
> 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.
> 
>  From the Ubuntu Security Team:
> 
> Reima Ishii discovered that the nested KVM implementation for Intel x86
> processors in the Linux kernel did not properly validate control registers in
> certain situations. An attacker in a guest VM could use this to cause a denial
> of service (guest crash).
> 
> [Fix]
> OEM-6.1 already has the fix.
> Cherry picked from upstream to Jammy, OEM-5.17, Kinetic and OEM-6.0.
> Cherry picked from linux-5.4.y to Focal.
> Cherry picked from linux-4.19.y to Bionic.
> Backported the fix from Bionic to Xenial with some modifications.
> 
> v2: Fix wrong CVE number in commit bodies.
> 
> [Test case]
> This was super cumbersome to test. I had to spin up more than a dozen bare metal
> instances in AWS in order to test L0->L1->L2 KVM virtualization.
> 
> I did perform basic nested KVM smoke tests using following combinations:
> 
> Host     | Level 1  | Level 2
> -------------------------------
> OEM-6.0  | OEM-6.0  | OEM-6.0
> OEM-5.17 | OEM-5.17 | OEM-5.17
> 4.15     | 4.15     | 4.15
> 
> 5.15 and 5.19 were only boot tested.
> 
> Following kernels were tested with kvm-unit-tests suite, with & without the fix:
> 
> 4.4, 4.15, 5.4.
> 
> Test results remained same with the fix. (On Bionic, some tests even improved
> with the fix applied).
> 
> [Potential regression]
> Medium. Xenial backport modifies a block that was untouched since 2013 and needs
> to be reviewed very carefully.
> 
> Paolo Bonzini (1):
>    KVM: nVMX: add missing consistency checks for CR0 and CR4
> 
>   arch/x86/kvm/vmx/nested.c | 10 ++++++++--
>   1 file changed, 8 insertions(+), 2 deletions(-)
> 

applied to oem-5.17, oem-6.0, thanks

-- 
t