Race condition in Linux kernel - CVE-2020-8834

Detailed vulnerability description

The vulnerability allows a local user to a crash the entire system.

KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc_{save,restore}_tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to panic. There were 2 commits that, according to the reporter, introduced the vulnerability: f024ee098476 ('KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures') 87a11bb6a7f7 ('KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode') The former landed in 4.8, the latter in 4.17. This was fixed without realizing the impact in 4.18 with the following 3 commits, though it is believed the first is the only strictly necessary commit: 6f597c6b63b6 ('KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_save_tm()/kvmppc_restore_tm()') 7b0e827c6970 ('KVM: PPC: Book3S HV: Factor fake-suspend handling out of kvmppc_save/restore_tm') 009c872a8bc4 ('KVM: PPC: Book3S PR: Move kvmppc_save_tm/kvmppc_restore_tm to separate file')

How to mitigate CVE-2020-8834

Sources

• https://www.openwall.com/lists/oss-security/2020/04/06/2
• https://usn.ubuntu.com/usn/usn-4318-1
• https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1867717
• https://usn.ubuntu.com/4318-1/
• http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00035.html