[A/B/C] CVE-2018-12904 - Possible priv escalation and DoS in nested KVM
In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested
virtualization is used, local attackers could cause L1 KVM guests to
VMEXIT, potentially allowing privilege escalations and denial of service
attacks due to lack of checking of CPL.
tyhicks> Ubuntu kernels do not enable nested KVM virtualization by default and
are unaffected by this flaw in the default configuration. To ensure that
nested virtualization is not enabled, verify that the
/sys/module/kvm_intel/parameters/nested file contains "N".
https://bugs.chromium.org/p/project-zero/issues/detail?id=1589 Priority: low
Discovered-by: Felix Wilhelm
On Thu, Jun 28, 2018 at 11:31:51PM +0000, Tyler Hicks wrote:
> From: Felix Wilhelm <[hidden email]>
> VMX instructions executed inside a L1 VM will always trigger a VM exit
> even when executed with cpl 3. This means we must perform the
> privilege check in software.
> Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks")
> Cc: [hidden email] > Signed-off-by: Felix Wilhelm <[hidden email]>
> Signed-off-by: Paolo Bonzini <[hidden email]>
> (cherry picked from commit 727ba748e110b4de50d142edca9d6a9b7e6111d8)
> Signed-off-by: Tyler Hicks <[hidden email]>