Linux 4.4.215 / 4.9.215 / 4.14.172 / 5.5.7 Kernels Bringing Intel KVM Security Fix
Written by Michael Larabel in Linux Kernel on 27 February 2020 at 03:02 PM EST. 10 Comments
LINUX KERNEL --
A few days back we reported on a security vulnerability within Intel's KVM virtualization code for the Linux kernel. That vulnerability stems from unfinished kernel code and was fixed for Linux 5.6 Git and is now being back-ported to the 4.4 / 4.9 / 4.14 / 5.5 supported kernels.

Back on Monday when the CVE-2020-2732 patches first came to light, little was publicly known about the issue but that it stemmed from incomplete code in the vmx_check_intercept functionality in not checking all possible intercepts and in turn could end up emulating instructions that should be disabled by the hypervisor.

Since then the Red Hat disclosure on the listing has revealed more precise details, "A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor."

An important detail to reinforce regarding CVE-2020-2732 is that KVM nested virtualization must be enabled for this vulnerability and the only exposure is to Intel CPUs.

While Linux 5.6 Git was protected with the necessary patches since Monday as outlined in the aforelinked article, now we are seeing these patches trickle back to supported stable kernel series. The current Linux 5.5 cycle will see this mitigation present for Linux 5.5.7 given today's review queue. Also hitting the review queues today for forthcoming LTS kernels put the mitigation as coming to Linux 4.14.172, 4.9.125, and 4.4.125 kernels. The review queues of the patches were sent out today while the actual kernel releases should happen within the next few days.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week