Linux 4.4.215 / 4.9.215 / 4.14.172 / 5.5.7 Kernels Bringing Intel KVM Security Fix
A few days back we reported on a security vulnerability within Intel's KVM virtualization code for the Linux kernel. That vulnerability stems from unfinished kernel code and was fixed for Linux 5.6 Git and is now being back-ported to the 4.4 / 4.9 / 4.14 / 5.5 supported kernels.
Back on Monday when the CVE-2020-2732 patches first came to light, little was publicly known about the issue but that it stemmed from incomplete code in the vmx_check_intercept functionality in not checking all possible intercepts and in turn could end up emulating instructions that should be disabled by the hypervisor.
Since then the Red Hat disclosure on the listing has revealed more precise details, "A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor."
An important detail to reinforce regarding CVE-2020-2732 is that KVM nested virtualization must be enabled for this vulnerability and the only exposure is to Intel CPUs.
While Linux 5.6 Git was protected with the necessary patches since Monday as outlined in the aforelinked article, now we are seeing these patches trickle back to supported stable kernel series. The current Linux 5.5 cycle will see this mitigation present for Linux 5.5.7 given today's review queue. Also hitting the review queues today for forthcoming LTS kernels put the mitigation as coming to Linux 4.14.172, 4.9.125, and 4.4.125 kernels. The review queues of the patches were sent out today while the actual kernel releases should happen within the next few days.
Back on Monday when the CVE-2020-2732 patches first came to light, little was publicly known about the issue but that it stemmed from incomplete code in the vmx_check_intercept functionality in not checking all possible intercepts and in turn could end up emulating instructions that should be disabled by the hypervisor.
Since then the Red Hat disclosure on the listing has revealed more precise details, "A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor."
An important detail to reinforce regarding CVE-2020-2732 is that KVM nested virtualization must be enabled for this vulnerability and the only exposure is to Intel CPUs.
While Linux 5.6 Git was protected with the necessary patches since Monday as outlined in the aforelinked article, now we are seeing these patches trickle back to supported stable kernel series. The current Linux 5.5 cycle will see this mitigation present for Linux 5.5.7 given today's review queue. Also hitting the review queues today for forthcoming LTS kernels put the mitigation as coming to Linux 4.14.172, 4.9.125, and 4.4.125 kernels. The review queues of the patches were sent out today while the actual kernel releases should happen within the next few days.
10 Comments