Re: arm64 Linux kernel: Privilege escalation by taking control of the KVM hypervisor

[Salvatore Bonaccorso <carnil () debian org>]

Hi,

On Tue, Oct 02, 2018 at 05:07:14PM +0100, Will Deacon wrote:
> Hi all,
>
> Whilst reviewing some proposed arm64 KVM changes, it became apparent that
> the sanity checking for the KVM_SET_ON_REG ioctl() on arm64 does not
> correctly handle a number of cases:
>
>       - Unaligned register accesses and accesses that span multiple
>         registers can bypass PSTATE sanity checking
>
>       - The PSTATE sanity checking fails to take into account the
>         capabilities of the physical CPU, or the configuration of
>         the virtual CPU
>
> This allows an attacker with permission to create KVM-based virtual machines
> to both panic the hypervisor by triggering an illegal exception return
> (resulting in a DoS) and to redirect execution elsewhere within the
> hypervisor with full register control, instead of causing a return to the
> guest.
>
> This has been fixed by upstream commits:
>
> d26c25a9d19b ("arm64: KVM: Tighten guest core register access from userspace")
> 2a3f93459d68 ("arm64: KVM: Sanitize PSTATE.M when being set from userspace")
>
> which are being backported and applied to all active -stable kernels.
>
> 32-bit Arm is unaffected by this issue.
>
> There has not yet been a CVE requested for this (mainly because I don't know
> how to do it).

This issue got CVE-2018-18021 assigned.

Regards,
Salvatore