cve/published/2022/CVE-2022-49557.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49557: x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)

 Set the starting uABI size of KVM's guest FPU to 'struct kvm_xsave',
 i.e. to KVM's historical uABI size.  When saving FPU state for usersapce,
 KVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if
 the host doesn't support XSAVE.  Setting the XSAVE header allows the VM
 to be migrated to a host that does support XSAVE without the new host
 having to handle FPU state that may or may not be compatible with XSAVE.

 Setting the uABI size to the host's default size results in out-of-bounds
 writes (setting the FP+SSE bits) and data corruption (that is thankfully
 caught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs.

 WARN if the default size is larger than KVM's historical uABI size; all
 features that can push the FPU size beyond the historical size must be
 opt-in.

   ==================================================================
   BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130
   Read of size 8 at addr ffff888011e33a00 by task qemu-build/681
   CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1
   Hardware name:  /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010
   Call Trace:
    <TASK>
    dump_stack_lvl+0x34/0x45
    print_report.cold+0x45/0x575
    kasan_report+0x9b/0xd0
    fpu_copy_uabi_to_guest_fpstate+0x86/0x130
    kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm]
    kvm_vcpu_ioctl+0x47f/0x7b0 [kvm]
    __x64_sys_ioctl+0x5de/0xc90
    do_syscall_64+0x31/0x50
    entry_SYSCALL_64_after_hwframe+0x44/0xae
    </TASK>
   Allocated by task 0:
   (stack is not available)
   The buggy address belongs to the object at ffff888011e33800
    which belongs to the cache kmalloc-512 of size 512
   The buggy address is located 0 bytes to the right of
    512-byte region [ffff888011e33800, ffff888011e33a00)
   The buggy address belongs to the physical page:
   page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30
   head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0
   flags: 0x4000000000010200(slab|head|zone=1)
   raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80
   raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
   page dumped because: kasan: bad access detected
   Memory state around the buggy address:
    ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   >ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
    ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
   ==================================================================
   Disabling lock debugging due to kernel taint

 The Linux kernel CVE team has assigned CVE-2022-49557 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit c60427dd50ba9b20063ccaed0e98d62e886d7a3b and fixed in 5.17.13 with commit 9cf15ebb7dedfe2f27120743b8ea8441c99ac73c
 	Issue introduced in 5.17 with commit c60427dd50ba9b20063ccaed0e98d62e886d7a3b and fixed in 5.18.2 with commit c181acbd1a427859d5fda543b95fbae28f7f6068
 	Issue introduced in 5.17 with commit c60427dd50ba9b20063ccaed0e98d62e886d7a3b and fixed in 5.19 with commit d187ba5312307d51818beafaad87d28a7d939adf

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49557
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kernel/fpu/core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9cf15ebb7dedfe2f27120743b8ea8441c99ac73c
 	https://git.kernel.org/stable/c/c181acbd1a427859d5fda543b95fbae28f7f6068
 	https://git.kernel.org/stable/c/d187ba5312307d51818beafaad87d28a7d939adf
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49557: x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)

	Set the starting uABI size of KVM's guest FPU to 'struct kvm_xsave',
	i.e. to KVM's historical uABI size. When saving FPU state for usersapce,
	KVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if
	the host doesn't support XSAVE. Setting the XSAVE header allows the VM
	to be migrated to a host that does support XSAVE without the new host
	having to handle FPU state that may or may not be compatible with XSAVE.

	Setting the uABI size to the host's default size results in out-of-bounds
	writes (setting the FP+SSE bits) and data corruption (that is thankfully
	caught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs.

	WARN if the default size is larger than KVM's historical uABI size; all
	features that can push the FPU size beyond the historical size must be
	opt-in.

	==================================================================
	BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130
	Read of size 8 at addr ffff888011e33a00 by task qemu-build/681
	CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1
	Hardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010
	Call Trace:
	<TASK>
	dump_stack_lvl+0x34/0x45
	print_report.cold+0x45/0x575
	kasan_report+0x9b/0xd0
	fpu_copy_uabi_to_guest_fpstate+0x86/0x130
	kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm]
	kvm_vcpu_ioctl+0x47f/0x7b0 [kvm]
	__x64_sys_ioctl+0x5de/0xc90
	do_syscall_64+0x31/0x50
	entry_SYSCALL_64_after_hwframe+0x44/0xae
	</TASK>
	Allocated by task 0:
	(stack is not available)
	The buggy address belongs to the object at ffff888011e33800
	which belongs to the cache kmalloc-512 of size 512
	The buggy address is located 0 bytes to the right of
	512-byte region [ffff888011e33800, ffff888011e33a00)
	The buggy address belongs to the physical page:
	page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30
	head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0
	flags: 0x4000000000010200(slab\|head\|zone=1)
	raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80
	raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
	page dumped because: kasan: bad access detected
	Memory state around the buggy address:
	ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	>ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	^
	ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	==================================================================
	Disabling lock debugging due to kernel taint

	The Linux kernel CVE team has assigned CVE-2022-49557 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit c60427dd50ba9b20063ccaed0e98d62e886d7a3b and fixed in 5.17.13 with commit 9cf15ebb7dedfe2f27120743b8ea8441c99ac73c
	Issue introduced in 5.17 with commit c60427dd50ba9b20063ccaed0e98d62e886d7a3b and fixed in 5.18.2 with commit c181acbd1a427859d5fda543b95fbae28f7f6068
	Issue introduced in 5.17 with commit c60427dd50ba9b20063ccaed0e98d62e886d7a3b and fixed in 5.19 with commit d187ba5312307d51818beafaad87d28a7d939adf

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49557
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kernel/fpu/core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9cf15ebb7dedfe2f27120743b8ea8441c99ac73c
	https://git.kernel.org/stable/c/c181acbd1a427859d5fda543b95fbae28f7f6068
	https://git.kernel.org/stable/c/d187ba5312307d51818beafaad87d28a7d939adf