Bugzilla – Bug 1212649
VUL-0: CVE-2023-46813: kernel: SEV-ES local priv escalation
Last modified: 2024-04-05 17:24:49 UTC
via Joerg directly. It is a local privilege escalation issue for user-space programs that have access to MMIO regions Such programs can basically read and write arbitrary kernel memory and access arbitrary IO ports. I think the severity is limited by the fact that it requires access to MMIO regions But still a serious issue
From the reporter: Hey Jörg, the bug I was talking about is in the #VC handler of the kernel. For most of the error codes, it has to decode the instruction that caused the exception and then emulate it. The problem is that the the kernel doesn't do any memory permission checks when emulating the instructions. For most cases this wouldn't matter because the CPU would have done the permission checks before causing the #VC exception, but there's a race condition where userspace can swap out the instruction before the #VC handler reads them. I was able to read and write arbitrary kernel memory like this: 1. Cause a #VC(NPF) by writing to MMIO memory. This region would be in userspace thus passing the CPU's memory permission checks. 2. Quickly swap out the instruction with a `MOVS` instruction with either the source or destination in kernel memory. 3. The kernel emulates the `MOVS` by reading from the source and writing to the destination without any permission checks. I'm not aware of a good way to map MMIO memory into userspace, so my exploit currently relies on help from the hypervisor: I wrote some qemu & kvm host patches that make it change some memory to MMIO memory at runtime. This isn't caught by any RMP checks because MMIO memory works by setting invalid bits in the nested page table, so the CPU doesn't have a physical page to do RMP checks on. If there's a way to map MMIO memory into an unprivileged userspace process, this step isn't needed. The MMIO memory is needed to cause the #VC(NPF) exception. The race condition can be applied to the IOIO_PROT handling to issue I/O port and memory reads and writes. This doesn't rely on MMIO, but on the ability to issue I/O port accesses, which isn't usually allowed for userspace processes though there is a capability (cap_sys_rawio) to allow this. To mitigate this, we would need to also emulate the permission checks both for memory and I/O ports. Given that I haven't written much code for the Linux kernel, I'm not sure of the best way to do this, so my hope is that you can come up with an idiomatic solution for this. Let me know if you have any questions about the bug or the PoC exploit.
CRD: unknown
The CRD has been set to Oct. 20th 2023 Discussed this heavily with Boris and he will go the conservative way and disable user-space MMIO support for SEV-ES for now. We will discuss a more proper solution after the CRD in the public.
mainline has the patches commit 63e44bc52047f182601e7817da969a105aa1f721 Author: Joerg Roedel <jroedel@suse.de> Date: Mon Oct 16 14:42:50 2023 +0200 x86/sev: Check for user-space IOIO pointing to kernel space commit 63e44bc52047f182601e7817da969a105aa1f721 Author: Joerg Roedel <jroedel@suse.de> Date: Mon Oct 16 14:42:50 2023 +0200 x86/sev: Check for user-space IOIO pointing to kernel space Check the memory operand of INS/OUTS before emulating the instruction. The #VC exception can get raised from user-space, but the memory operand can be manipulated to access kernel memory before the emulation actually begins and after the exception handler has run. [ bp: Massage commit message. ] Fixes: 597cfe48212a ("x86/boot/compressed/64: Setup a GHCB-based VC Exception handler") Reported-by: Tom Dohrmann <erbse.13@gmx.de> Signed-off-by: Joerg Roedel <jroedel@suse.de> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Cc: <stable@kernel.org> commit b9cb9c45583b911e0db71d09caa6b56469eb2bdf Author: Joerg Roedel <jroedel@suse.de> Date: Wed Jun 21 17:42:42 2023 +0200 x86/sev: Check IOBM for IOIO exceptions from user-space Check the IO permission bitmap (if present) before emulating IOIO #VC exceptions for user-space. These permissions are checked by hardware already before the #VC is raised, but due to the VC-handler decoding race it needs to be checked again in software. Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions") Reported-by: Tom Dohrmann <erbse.13@gmx.de> Signed-off-by: Joerg Roedel <jroedel@suse.de> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Tested-by: Tom Dohrmann <erbse.13@gmx.de> Cc: <stable@kernel.org>
was there any public announcement=?
I requested a CVE from Mitre (cross checked with researcher and kernel devs, they did not request one)
CVE-2023-46813
SUSE-SU-2023:4345-1: An update that solves nine vulnerabilities and has 14 security fixes can now be installed. Category: security (important) Bug References: 1208788, 1210778, 1211307, 1212423, 1212649, 1213705, 1214842, 1215095, 1215104, 1215518, 1215745, 1215768, 1215860, 1215955, 1215986, 1216046, 1216051, 1216062, 1216345, 1216510, 1216511, 1216512, 1216621 CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39193, CVE-2023-45862, CVE-2023-46813, CVE-2023-5178 Sources used: openSUSE Leap 15.4 (src): kernel-syms-azure-5.14.21-150400.14.72.1, kernel-source-azure-5.14.21-150400.14.72.1 Public Cloud Module 15-SP4 (src): kernel-syms-azure-5.14.21-150400.14.72.1, kernel-source-azure-5.14.21-150400.14.72.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4378-1: An update that solves seven vulnerabilities and has 14 security fixes can now be installed. Category: security (important) Bug References: 1208788, 1210778, 1211307, 1212423, 1212649, 1213705, 1213772, 1214842, 1215095, 1215104, 1215518, 1215955, 1215956, 1215957, 1215986, 1216062, 1216345, 1216510, 1216511, 1216512, 1216621 CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39193, CVE-2023-5178 Sources used: openSUSE Leap 15.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2, kernel-source-5.14.21-150400.24.97.1, kernel-livepatch-SLE15-SP4_Update_20-1-150400.9.3.2, kernel-syms-5.14.21-150400.24.97.1, kernel-obs-qa-5.14.21-150400.24.97.1, kernel-obs-build-5.14.21-150400.24.97.1 openSUSE Leap Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2 openSUSE Leap Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2 SUSE Linux Enterprise Micro for Rancher 5.3 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2 SUSE Linux Enterprise Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2 SUSE Linux Enterprise Micro for Rancher 5.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2 SUSE Linux Enterprise Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2 Basesystem Module 15-SP4 (src): kernel-default-base-5.14.21-150400.24.97.1.150400.24.44.2, kernel-source-5.14.21-150400.24.97.1 Development Tools Module 15-SP4 (src): kernel-syms-5.14.21-150400.24.97.1, kernel-source-5.14.21-150400.24.97.1, kernel-obs-build-5.14.21-150400.24.97.1 SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4_Update_20-1-150400.9.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4375-1: An update that solves nine vulnerabilities and has 17 security fixes can now be installed. Category: security (important) Bug References: 1208788, 1211162, 1211307, 1212423, 1212649, 1213705, 1213772, 1214754, 1214874, 1215095, 1215104, 1215523, 1215545, 1215921, 1215955, 1215986, 1216062, 1216202, 1216322, 1216323, 1216324, 1216333, 1216345, 1216512, 1216621, 802154 CVE References: CVE-2023-2163, CVE-2023-31085, CVE-2023-34324, CVE-2023-3777, CVE-2023-39189, CVE-2023-39191, CVE-2023-39193, CVE-2023-46813, CVE-2023-5178 Sources used: SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5_Update_7-1-150500.11.5.1 openSUSE Leap 15.5 (src): kernel-livepatch-SLE15-SP5_Update_7-1-150500.11.5.1, kernel-source-5.14.21-150500.55.36.1, kernel-obs-qa-5.14.21-150500.55.36.1, kernel-syms-5.14.21-150500.55.36.1, kernel-obs-build-5.14.21-150500.55.36.1, kernel-default-base-5.14.21-150500.55.36.1.150500.6.15.3 SUSE Linux Enterprise Micro 5.5 (src): kernel-default-base-5.14.21-150500.55.36.1.150500.6.15.3 Basesystem Module 15-SP5 (src): kernel-source-5.14.21-150500.55.36.1, kernel-default-base-5.14.21-150500.55.36.1.150500.6.15.3 Development Tools Module 15-SP5 (src): kernel-source-5.14.21-150500.55.36.1, kernel-obs-build-5.14.21-150500.55.36.1, kernel-syms-5.14.21-150500.55.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4732-1: An update that solves 15 vulnerabilities, contains three features and has 39 security fixes can now be installed. Category: security (important) Bug References: 1207948, 1210447, 1212649, 1214286, 1214700, 1214840, 1214976, 1215095, 1215123, 1215124, 1215292, 1215420, 1215458, 1215710, 1215802, 1215931, 1216058, 1216105, 1216259, 1216527, 1216584, 1216621, 1216687, 1216693, 1216759, 1216761, 1216788, 1216844, 1216861, 1216909, 1216959, 1216965, 1216976, 1217036, 1217068, 1217086, 1217095, 1217124, 1217140, 1217147, 1217195, 1217196, 1217200, 1217205, 1217332, 1217366, 1217511, 1217515, 1217598, 1217599, 1217609, 1217687, 1217731, 1217780 CVE References: CVE-2023-2006, CVE-2023-25775, CVE-2023-3777, CVE-2023-39197, CVE-2023-39198, CVE-2023-4244, CVE-2023-45863, CVE-2023-45871, CVE-2023-46813, CVE-2023-46862, CVE-2023-5158, CVE-2023-5633, CVE-2023-5717, CVE-2023-6039, CVE-2023-6176 Jira References: PED-3184, PED-5021, PED-7237 Sources used: openSUSE Leap 15.5 (src): kernel-source-rt-5.14.21-150500.13.27.2, kernel-syms-rt-5.14.21-150500.13.27.1, kernel-livepatch-SLE15-SP5-RT_Update_8-1-150500.11.3.2 SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5-RT_Update_8-1-150500.11.3.2 SUSE Real Time Module 15-SP5 (src): kernel-source-rt-5.14.21-150500.13.27.2, kernel-syms-rt-5.14.21-150500.13.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixes are merged. Assigning back.
done
